Would they, though? The content industry (DRM's "customers") have proven time and time again that they just do not give two short sharp shits about the sanctity of copyright law (or, at least, the sections of it which expire). I don't think the technology should be outlawed — I think that the use of the technology to subvert the normal course of copyright (that is, to break the law) should be, however.
Problem being that malicious code just needs a stupid user to run it, and little else. Sure, you need to be logged in, but purple monkeys and similar have proven that idiots will run anything with a friendly face.
Significantly better than an exploit that requires no interaction whatsoever though, yes.
I'm intruiged by the whole idea — he makes clear that this is not the system that's currently used for media DRM, but doesn't really explain what the difference is. It seems to be some kind of "opt-in" copy protection of an arbitrary nature, which seems strange, almost more like an accessible frontend to some kind of encryption system.
On a wider note, my personal opinion is that those who develop DRM aren't the evil ones, those who sell DRMed material are. I really hope that, in the spirit of economics, that it can be stamped out by simply not buying the products. Of course, the problem is that not enough people realise their rights are being trampled, and this approach only really works en masse.
Yeah, I believe it's a compilation target for Sparkle-generated apps. Calling it a Flash competitor seems wrong to me though, it's closer to Java than Flash, albeit Java with a fancy Flash-like UI designer.
If you read the Great Grandparent's post, you see that your Grandparent post was saying that there wasn't a notice, and your parent's post was simply correcting that mistake.
I seriously doubt they mean that it "makes it all alright".
Worth noting that Sparkle is an interface designer for arbitrary WPF applications — most "Vista-based" applications can use it to design their interface, with a little less silliness than current interface designers have. Although I think it can make "web-app"-style things, that's not its primary purpose. From what I've seen of it, it's not even trying to be a Flash killer. The fact that its interface looks like Flash is just testament to Flash having a good interface for making animated things.
The same event I saw a demo of WPF (I forget what Microsoft is calling it now - most everything I saw at the conference was identified by codename - but WPF stands for Windows Presentation Foundation... I think it might be "Avalon" now)
Other way around — Avalon was the codename, WPF is the official product name, I believe.
The summary is misleading. This is not a "Flash-killer". It's not even designed for creating webapps, as such (I believe it can, but as you say it's kinda defeating the point in most cases). Sparkle is an interface designer with a Flash-like interface.
People see it and think "wow! That's like Flash!", but fail to realise that the system is actually creating native WPF widgets (often with changed appearance) for WPF, the main display system of Vista (which allegedly has an XP version too).
This isn't Flash, it just looks like Flash, because Flash has a nice interface for creating things which have animation in them, and MS have aped that, just like everyone apes everything from everyone else in the land of software, in a process we call "progress".
There is a distinct difference between being asked if you want to install a new component to your web browser and a built in "run random code" feature.
ActiveX components must be accepted by the user as a browser plugin, and there are a number of large, nasty-looking warning screens associated with this. I'm not sure what you mean about "run random code" functionality (I have not used IE in some years so I'm not that familiar with ActiveX, but I do know that ActiveX components have to be accepted by the user before their use). Is there some other mode?
They might be "good enough" to last while there are plenty of older systems to compromise, but it will not last in the long run.
I agree, but there is apparently great improvements to this in Vista. That, of course, remains to be seen, and of course XP will continue to be used for a long while afterwards. But, as you mention, these changes are fairly fundamental, and they would be breaking changes to XP. MS have shown an unwillingness to make changes to their system which will break backwards compatibility, and I can only hope that this trend changes with Vista to allow better security systems to be introduced.
Your faith in SP 2 is badly misplaced.
My "faith" is based upon the fact that the state of the system, at present, is good enough for me to use every day with a good assurance against compromise. I do not feel any safer on my FreeBSD box than on my Windows one, because there are no current problems which would affect me that would not require my interaction, and I'm a skilled-enough user to be cautious for such things.
ActiveX is basically a way to run random code on your machine, from a website, without the user being asked, and without a proper VM or jail.
The plugin architecture in Mozilla, off the top of my head, also meets these criteria, except the "without the user being asked" requirement (which hasn't been the case for a long time).
A jail would be good, yes, but picking ActiveX over the Mozilla (for example) plugin layer here doesn't make a good point. I will assume that Safari (which I don't really know the system behind beyond some of the KHTML stuff) has a better system for this though.
Last time I used an XP box nothing warned me when I downloaded an.exe or a.jpg.exe file using IE. Nothing warned me the first time I ran a.exe file. Is this no longer the case?
The first part is fixed, the second part is "sort of" fixed (it warns you from the downloading program if you invoke the program from there, if you were to save it and then run it — which would require your direct knowledge that you were doing this — it does not warn you).
What?!? I'm talking about the OS. When you try to write any executable file to disk and when you execute any executable file that has not been executed before it warns you. If this behavior does not apply across everything it is a lot less useful. So if I install an FTP client on XP-SP2, you're telling me I get a warning when I download a.exe,.pl, or.vb file? Because if you are, it is news to me.
Interesting. I don't think it's a behaviour that's replicated on Windows, no (I know it's not replicated on any other system I've seen, and I've not used OSX for long enough to see it in action, so I got a bit confused there).
Basically you have focused all of your attention on one security limitation of Windows without addressing the myriad other problems. Fixing one problem will help, but it won't make much difference in the long term. You have to close and lock all the doors. There is a lot of information on Windows security flaws available online. Google is your friend.
Having looked through Google for flaws, I have learned that a default install of XP SP2 is safe enough for everyday use. Most things people can be hit with now are caused by people clicking through warning screens, which is essentially a large problem with most systems. The worm problem you mention before is not so much of a problem any more, since the firewall (not the best of solutions, no, but it works) stops exposed services and is enabled by default. Also, the problems you mention with default applications (which I admit I don't use, because they're generally awful) were patched years ago.
I wasn't trying to say that OSX was as insecure as Windows, though. Calm.:)
OS X does not, and has never shipped with a bunch of exposed services.
Wasn't OSX previously criticised for just that? Also, clarification (rather than laughter) would be nice on the ActiveX issue (it's not something I've looked into personally, but this is something I have heard from several people, not friendly to Windows, who know more about security issues than myself - any more information would help me get the last laugh in the pub, which would be great, cheers).
Windows no longer ships with exposed services, and I think we all know that was really, really fucking dumb in the first place, though, yes.
Worm-style exploits are high-profile, but in general, in particular since SP2, there's not a lot more in Windows to allow this sort of attack. Also, sorry to skip back, but:
The differences are nothing auto-executes scripts,
Good point, but on Windows since SP2 warnings are generated for scripts being run (correct me if there's exceptions to this).
privilege escalations are non-trivial,
Only the case on Windows if the user is running as Administrator. Which they often are. But I did mention this in my previous post (in the part you mention later).
and users are warned when downloading anything that may execute and again the first time they try to execute something.
This is the case on Windows, since SP2 (unless applications specifically override this behaviour, which I assume it is possible to do on OSX?).
Even then, most users are not root, so it requires a password to install a rootkit.
Doesn't it ship with Python? At the very least bash scripts are equivalent in a fairly functional way. Trusting silly scripts is required, and dumb, but in the most cases this is required on Windows too.
Also, ActiveX isn't really a security problem these days either. I've heard its infrastructure was pretty dumb for a while, but in its current incarnation I've not seen it to be much less safe than the equivalents in other (particularly browser) software.
As you mention, the main benefit of OSX (and other fairly sensible OSs) is damage limitation. Although Windows has a perfectly servicable security infrastructure, it's simply not used by default, not insisted-upon. Some applications require administrator privileges. This is the biggest problem — particularly since SP2 (and it's shocking that it took that long to get it right, but it's a great deal safer now), XP is not a significantly less secure target for attacks than its competitors. The problem is that the scope of damage that's available to the attacker without specifically prompting the user (which history has shown does work, which is a problem with just about everything) is just much, much greater.
There's always the argument that on a single-user machine (the only scenario that a Windows user should really be running as administrator, barring the requirement of an Administrator-only application that's required) that trashing the user account is effectively as bad as trashing the whole system, but this isn't a hugely convincing argument when it's basically covering up a pretty serious, fundamental flaw.
Well, yes, but the function was a known, specified function, was it not? I just saw stupidity, rather than foul play, when I read about that one. I'll maybe give it another look though, now that you've mentioned it. I've not been looking at much of anything in any depth recently.
To be fair, that article completely missed the fact that the WMF vulnerability was a known feature of the file format since times ancient. It's just something people (stupidly) forgot about when security became an issue.
For the most part, Mac users get angry because Macs and OS X are so clearly superior to Windows PCs--which arguably is objectively true
It's also just as arguably objectively untrue, to be fair, but you'll find few to support that theory on this site. I'm shying away from the platform wars though, I don't really care (I'd have a Mac as well as my other boxes if I could afford one).
As for the design work, it's pretty unfair (not comparing apples to apples, so to speak) but I'm in no mood to argue and there'd be very little point anyway:).
I'd say idiots are both the primary cause of AIDS transmission, and are also the disease's primary victims. That's pretty uncontroversial when you look at the evidence.
I have to say that I disagree with this, because the "idiots" in Africa that you mention afterwards are the disease's primary victims, and not being able to find out about these things does not make one an idiot.
For the record, do you know if the "unprotected homosexual contact" figure includes "accidental" (protection failing) cases? Because if not, that group is pretty much fully idiot (except for those who were misled by people that they were in a position to sensibly believe that they could trust, which can't be that many), yes.
I talked about being unhealthy, uneducated, and unable to have access to decent healthcare.
Whereas I was directly arguing against the "idiots" part. I've no doubt that the factors you mention contribute far, far more than people being idiots, which was my point. I'm not talking about political incorrectness, I'm talking about factual incorrectness.
I didn't disagree with you, I disagreed with the foolish thesis put forward by the post I originally responded to. You seem to have taken my "I disgree" a little out of context — I disagree with you agreeing (as you said you did) with the post's explanation of AIDS. That's all.
I don't think that you disagree with me (although it seems clear that you think you do) so I'm not going to argue with you here (there's little in your post that I would want to try to refute anyway).
I disagree — the vast majority of AIDS sufferers are in countries and areas where there just isn't the education to prevent such things. This is not the same as "idiocy". These people do not deserve to die (in larger terms, no-one deserves to die, but I digress), and in particular they are not "idiots".
I'm willing to admit that there's been people who have contracted HIV/AIDS from their own idiocy, but to call it "nature's way of weeding out idiots" is both insensitive and incorrect.
You made a broad, sweeping, inaccurate remark, and I made one back. I have no idea if you're stupid, but I'd say there's about as good a chance of you being an idiot as there is of AIDs being "nature's way of weeding out the idiots", from the simple evidence of you saying something like that.
Slashdot Mirror
Would they, though? The content industry (DRM's "customers") have proven time and time again that they just do not give two short sharp shits about the sanctity of copyright law (or, at least, the sections of it which expire). I don't think the technology should be outlawed — I think that the use of the technology to subvert the normal course of copyright (that is, to break the law) should be, however.
Problem being that malicious code just needs a stupid user to run it, and little else. Sure, you need to be logged in, but purple monkeys and similar have proven that idiots will run anything with a friendly face.
Significantly better than an exploit that requires no interaction whatsoever though, yes.
I dunno, I more see it as those that use it being evil. I guess it's all semantics though.
I'm intruiged by the whole idea — he makes clear that this is not the system that's currently used for media DRM, but doesn't really explain what the difference is. It seems to be some kind of "opt-in" copy protection of an arbitrary nature, which seems strange, almost more like an accessible frontend to some kind of encryption system.
On a wider note, my personal opinion is that those who develop DRM aren't the evil ones, those who sell DRMed material are. I really hope that, in the spirit of economics, that it can be stamped out by simply not buying the products. Of course, the problem is that not enough people realise their rights are being trampled, and this approach only really works en masse.
Yeah, I believe it's a compilation target for Sparkle-generated apps. Calling it a Flash competitor seems wrong to me though, it's closer to Java than Flash, albeit Java with a fancy Flash-like UI designer.
If you read the Great Grandparent's post, you see that your Grandparent post was saying that there wasn't a notice, and your parent's post was simply correcting that mistake.
I seriously doubt they mean that it "makes it all alright".
Worth noting that Sparkle is an interface designer for arbitrary WPF applications — most "Vista-based" applications can use it to design their interface, with a little less silliness than current interface designers have. Although I think it can make "web-app"-style things, that's not its primary purpose. From what I've seen of it, it's not even trying to be a Flash killer. The fact that its interface looks like Flash is just testament to Flash having a good interface for making animated things.
I think he/she means Sparkle. If they're in the UK, this is forgiveable, since it's still morning time here :)
Other way around — Avalon was the codename, WPF is the official product name, I believe.
The summary is misleading. This is not a "Flash-killer". It's not even designed for creating webapps, as such (I believe it can, but as you say it's kinda defeating the point in most cases). Sparkle is an interface designer with a Flash-like interface.
People see it and think "wow! That's like Flash!", but fail to realise that the system is actually creating native WPF widgets (often with changed appearance) for WPF, the main display system of Vista (which allegedly has an XP version too).
This isn't Flash, it just looks like Flash, because Flash has a nice interface for creating things which have animation in them, and MS have aped that, just like everyone apes everything from everyone else in the land of software, in a process we call "progress".
Best one-word argument I've seen in a while... if I had mod points right now...
ActiveX components must be accepted by the user as a browser plugin, and there are a number of large, nasty-looking warning screens associated with this. I'm not sure what you mean about "run random code" functionality (I have not used IE in some years so I'm not that familiar with ActiveX, but I do know that ActiveX components have to be accepted by the user before their use). Is there some other mode?
I agree, but there is apparently great improvements to this in Vista. That, of course, remains to be seen, and of course XP will continue to be used for a long while afterwards. But, as you mention, these changes are fairly fundamental, and they would be breaking changes to XP. MS have shown an unwillingness to make changes to their system which will break backwards compatibility, and I can only hope that this trend changes with Vista to allow better security systems to be introduced.
My "faith" is based upon the fact that the state of the system, at present, is good enough for me to use every day with a good assurance against compromise. I do not feel any safer on my FreeBSD box than on my Windows one, because there are no current problems which would affect me that would not require my interaction, and I'm a skilled-enough user to be cautious for such things.
I'm not everyone, though, no.
The plugin architecture in Mozilla, off the top of my head, also meets these criteria, except the "without the user being asked" requirement (which hasn't been the case for a long time).
A jail would be good, yes, but picking ActiveX over the Mozilla (for example) plugin layer here doesn't make a good point. I will assume that Safari (which I don't really know the system behind beyond some of the KHTML stuff) has a better system for this though.
The first part is fixed, the second part is "sort of" fixed (it warns you from the downloading program if you invoke the program from there, if you were to save it and then run it — which would require your direct knowledge that you were doing this — it does not warn you).
Interesting. I don't think it's a behaviour that's replicated on Windows, no (I know it's not replicated on any other system I've seen, and I've not used OSX for long enough to see it in action, so I got a bit confused there).
Having looked through Google for flaws, I have learned that a default install of XP SP2 is safe enough for everyday use. Most things people can be hit with now are caused by people clicking through warning screens, which is essentially a large problem with most systems. The worm problem you mention before is not so much of a problem any more, since the firewall (not the best of solutions, no, but it works) stops exposed services and is enabled by default. Also, the problems you mention with default applications (which I admit I don't use, because they're generally awful) were patched years ago.
I wasn't trying to say that OSX was as insecure as Windows, though. Calm. :)
Wasn't OSX previously criticised for just that? Also, clarification (rather than laughter) would be nice on the ActiveX issue (it's not something I've looked into personally, but this is something I have heard from several people, not friendly to Windows, who know more about security issues than myself - any more information would help me get the last laugh in the pub, which would be great, cheers).
Windows no longer ships with exposed services, and I think we all know that was really, really fucking dumb in the first place, though, yes.
Worm-style exploits are high-profile, but in general, in particular since SP2, there's not a lot more in Windows to allow this sort of attack. Also, sorry to skip back, but:
Good point, but on Windows since SP2 warnings are generated for scripts being run (correct me if there's exceptions to this).
Only the case on Windows if the user is running as Administrator. Which they often are. But I did mention this in my previous post (in the part you mention later).
This is the case on Windows, since SP2 (unless applications specifically override this behaviour, which I assume it is possible to do on OSX?).
Damage limitation again, but yes.
Doesn't it ship with Python? At the very least bash scripts are equivalent in a fairly functional way. Trusting silly scripts is required, and dumb, but in the most cases this is required on Windows too.
Also, ActiveX isn't really a security problem these days either. I've heard its infrastructure was pretty dumb for a while, but in its current incarnation I've not seen it to be much less safe than the equivalents in other (particularly browser) software.
As you mention, the main benefit of OSX (and other fairly sensible OSs) is damage limitation. Although Windows has a perfectly servicable security infrastructure, it's simply not used by default, not insisted-upon. Some applications require administrator privileges. This is the biggest problem — particularly since SP2 (and it's shocking that it took that long to get it right, but it's a great deal safer now), XP is not a significantly less secure target for attacks than its competitors. The problem is that the scope of damage that's available to the attacker without specifically prompting the user (which history has shown does work, which is a problem with just about everything) is just much, much greater.
There's always the argument that on a single-user machine (the only scenario that a Windows user should really be running as administrator, barring the requirement of an Administrator-only application that's required) that trashing the user account is effectively as bad as trashing the whole system, but this isn't a hugely convincing argument when it's basically covering up a pretty serious, fundamental flaw.
Well, yes, but the function was a known, specified function, was it not? I just saw stupidity, rather than foul play, when I read about that one. I'll maybe give it another look though, now that you've mentioned it. I've not been looking at much of anything in any depth recently.
To be fair, that article completely missed the fact that the WMF vulnerability was a known feature of the file format since times ancient. It's just something people (stupidly) forgot about when security became an issue.
When have Microsoft made Spyware, exactly?
It's also just as arguably objectively untrue, to be fair, but you'll find few to support that theory on this site. I'm shying away from the platform wars though, I don't really care (I'd have a Mac as well as my other boxes if I could afford one).
As for the design work, it's pretty unfair (not comparing apples to apples, so to speak) but I'm in no mood to argue and there'd be very little point anyway :).
I have to say that I disagree with this, because the "idiots" in Africa that you mention afterwards are the disease's primary victims, and not being able to find out about these things does not make one an idiot.
For the record, do you know if the "unprotected homosexual contact" figure includes "accidental" (protection failing) cases? Because if not, that group is pretty much fully idiot (except for those who were misled by people that they were in a position to sensibly believe that they could trust, which can't be that many), yes.
Whereas I was directly arguing against the "idiots" part. I've no doubt that the factors you mention contribute far, far more than people being idiots, which was my point. I'm not talking about political incorrectness, I'm talking about factual incorrectness.
I didn't disagree with you, I disagreed with the foolish thesis put forward by the post I originally responded to. You seem to have taken my "I disgree" a little out of context — I disagree with you agreeing (as you said you did) with the post's explanation of AIDS. That's all.
I don't think that you disagree with me (although it seems clear that you think you do) so I'm not going to argue with you here (there's little in your post that I would want to try to refute anyway).
I disagree — the vast majority of AIDS sufferers are in countries and areas where there just isn't the education to prevent such things. This is not the same as "idiocy". These people do not deserve to die (in larger terms, no-one deserves to die, but I digress), and in particular they are not "idiots".
I'm willing to admit that there's been people who have contracted HIV/AIDS from their own idiocy, but to call it "nature's way of weeding out idiots" is both insensitive and incorrect.
You made a broad, sweeping, inaccurate remark, and I made one back. I have no idea if you're stupid, but I'd say there's about as good a chance of you being an idiot as there is of AIDs being "nature's way of weeding out the idiots", from the simple evidence of you saying something like that.
Don't be indignant just because you're an idiot. :)
If nature did have a way of weeding out idiots, you'd be in serious trouble!