Sliverlight offers more for the developer, not exactly for the end user. Since it enables developers to do more, easily, the benefits will pass on the users. Atleast that is the idea. Silverlight will open up Flash-like development to regular web developers who develop in Python, Ruby and C#, not just specialist Flash developers. And before you accuse me with your paranoid mindset, I am not a Microsoft employee.
Do we really need this? Do we really need to introduce multiple client-side languages like this? We're just creating more avenues to exploit clients. Adobe has had years to get Flash right and we're still finding exploits that can be used to install malware in the background. Only the DLR(Dynamic Language Runtime) runs in the browser plugin. IronRuby, IronPython, C#, VB.NET, whatever else will just be complied to the DLR. No Ruby code will be ever sent to the browser like you claim. I'm all for this because, seriously, who enjoys coding in JavaScript? It's a hack of a language invented at Netscape at the height of the 'anyything goes' internet boom.
What's so insecure about the MSIL(by which I presume you mean.NET) compared to any other environment(Java, Rails, PHP, etc)? I am really curious to know. I know this is Slashdot but please try not to reply with 'Everyone knows it is'.
Some web frameworks make it easy to scale and some don't. I don't why you need to get all worke d up when people say Rails does not scale easily as well as other frameworks. Rewriting Twitter in C may not yield much benefits but if it makes it easier to go out and buy 10 machines and make it scale even with a algo that isn't super perfect or elegant, that's better than having a framework that doesnt' do that.
MS' ass is still bleeding from the reaming over Java.
MS accomplished what they set out to do with Java. They turned it into a non-entity for web(applets, not server) and desktop applications. The real fault lies with Sun though. All MS did was make extensions that made MS JRE(available only for Windows) run way faster and better than Sun Java(available for all major platforms). Developers started using those extensions because it made applets way faster and zippy compared to Sun Java.
Sun realized this quite a bit late, sued MS and got a nice settlement close to a billion, but that made MS drop Java like a hot potato and go with.NET(they had plans for.NET from way earlier though, but dropping of MS Java was triggered by the lawsuit). This is why suddenly you couldn't download a runtime from MS and had to download only from java.sun.com.
I can't say I'm not happy with the result though. The JRE makes any decent machines go down on its knees when it starts and occupies a huge chunk of RAM for itself. It's as if suddenly 80% of your RAM and CPU are gone once the JRE starts. I remember running Azureus for a while on a 256MB laptop and waiting for minutes for Opera to show me web pages. Once I found a decent BT client that didn't use Java, I dumped Java apps(including OO.o:/ ) except for occasional Yahoo! Games. I hear it's better now, but like Lotus Notes, if it was once horrible, the new version can only be barely usable. Java is relegated to the backend of servers, calculating business logic and serving web apps, though.NET seems to be overtaking Java there too.
I am talking about the default options. I would estimate 90%+ of people out there won't configure their browser to auto-download files on a single click. What's your estimate? Most people don't change their default options. Hence Safari makes it unsafe for normal users because it silently auto-downloads stuff BY DEFAULT. You can auto-download stuff onto your mom-in-law's for all I care, but I don't want my mom to auto-download viruses on her desktop just because she happens to use iTunes and Apple sneaks in a half-ass made insecure Safari on her disguised as a iTunes update.
If it were, Theo de Raadt would be all for using Xen/Virtualisation. Which I'm very sure he isn't. And Theo is the end and be all of security and he can never be wrong? If less code is better then why do we even have firewalls with so much code in them? You're just committing the fallacy of authority and throwing around some platitudes to get past the fact that Apple did break a security layer that makes exploits and annoyances easier.
You're talking about Web sites, I'm talking about Web servers. I did use a reputable source. Err what? I am really sorry but I have to ask. Did you fail reading comprehension? Are you capable of reading and understanding atleast the title of the page that I linked to? Please? It's really hard to discuss things with someone that's either mentally impaired or intentionally acting dumb.
I don't have time right now to respond to all your points but this:
"An edge? 73% Apache vs. 19% IIS is more than an edge.:) You really need to get your info from your respectable sources. Here you will see that it's more like 50% vs 35% with IIS catching up real fast recently. Please check your facts from respectable sources before accusing others of pulling things out of their behind:)
Pretty much every browser I've ever used downloads files and saves them in a place on the drive known as the cache. Is saving certain filetypes in a different location really that much different? Yes it is. Executable files are not downloaded to your cache without your interaction or consent.
IPlus, a browser that downloads files when it can't render them does seem like a stupid security hole. What browser doesn't do this? I just tried serving binary files as "Content-Type: slashdot" and Firefox, Opera, and Konqueror all downloaded the files. Did they show you prompt to allow you to download or cancel or did they just put it in your desktop or downloads folder without ANY interaction from you?
It isn't a flaw if Safari is running in OS X, as many of us have pointed out.
Still, Apple really should've given MS users the same protection OS X users enjoy. Unfortunately it is true that Apple software on windows isn't nearly as good as it is in OS X. I love my Mac, but I certainly wouldn't call Steve Jobs a nice guy who plays fair. Sorry, it's still a flaw even if OS X gives you a warning while clicking on a file about it. This flaw allows random websites to flood your OS X Downloads folder without any warning whatsoever. You can't spin away facts. Sorry.
Sure, it's a really good sandbox... not really.
If you have an exploitable plugin installed your still fucked. Most plugins run inside the sandbox. Flash apparently does not, which is surely lame. But security is all about layers. The sandbox is one more layer that the attacker has to bypass. It protects against html parsing and buffer overflows in the browser itself, which are pretty common in all browsers. Only IE on Vista has this layer protecting users at this point. Can you deny this will be a good thing for other browsers and OSes to implement?
I have little faith in The Register's reporting because they don't seem to have tried it for themselves. Konqueror does not download things without asking the user and the GP claims the same [slashdot.org]. You would think that Register staff would have tested this for themselves when they ran the last article and got that comment about warning messages. The whole thing is half baked Microsoft FUD passed off a news. Have you even read the second link in the summary pointing to the blog of the actual researcher instead of reading anecdotes from slashdot posters and the register?
1. Safari Carpet Bomb. It is possible for a rogue website to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed). It does work in Safari inspite of your wishful thinking. I am not going waste my time responding to your other points because it's clear you failed reading comprehension and believe anecdotes on Slashdot. And who said anything about Konqueror? Please go away.
No it's not. Your computer can be uploading all your files using idle priority cpu/disk and network and you still won't experience any usability issues. Unless you want to spin identity theft as a usability issue.
I think you're blowing a lot of hot air there. Cool down. *nix might have an edge in market share, but IIS has not had a remote hole in many years compared to Apache.
Also, the privilege escalation methods on *nix are less obnoxious than the Windows equivalent, which is usually switched off as a result. Meaning Windows hasn't got the relevant market share, and is less secure than the alternatives. Is that why we see a ton of *nix web servers exploited by php vulnerabilities and misconfiguration? Lazy admins cause 90% of the real world exploits out there, not the choice of OS or software. I would say Linux and Windows are more secure than Apple code at this point. Windows used to be far more shittier before Win2k.
Thanks for the link. Konqueror on GNU/Linux brings up a save file dialog. Safari on OSX does the same. It seems like the problem is not with the browser.
That is some fucking awesome and brilliant spin right there, from both the Register and you. The vulnerability DOES work in OSX, it CAN carpet bomb OS X too. Read the article carefully. He says that vulnerability does not exist because Finder shows a warning before you open the already auto-downloaded files.
Ignore the fact that downloaded files from Firefox show the warning in Windows. Ignore the fact that Safari for Windows does not do what it's supposed to do and mark the files as being downloaded from the internet. What if I write a browser for OS X that doesn't mark the file as dangerous? I bet Finder will execute it with nary a warning.
I am sure Firefox can be configured to do the exact same thing, it just so happens that Apple already configured it to. I sure can go download random junk and spyware exes from the internet and put them on my desktop if I want to. Doesn't mean Apple has to do it for me by default.
Firefox still opens up 4 windows asking what you want to do with the script. Right, because opening 4 windows has the same security effect as putting 4 malicious executable files with pretty icons ready to be clicked on your desktop?! The spin on here is so thick that you can cut through it with a knife.
Why all this hubris and spin just because it's Apple? Why not handle it like Firefox does and be done with it? Do we see complaints from Firefox users saying 'Fuck! Firefox doesn't autodownload unknown filetypes. Please, Mozilla, let random websites download files of any size to one of my drives. Make use of those millions from Google. DO IT NOW!'?
You RTFA again.
Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated. [credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]. That doesn't sound anything like what you're spinning it to be. It IS a security issue to have malicious files with pretty icon lying around on people desktops, ready to get triggered by a click, whatever you or Apple spin it as.
Nice try. Sacrificing usability for security. Imagine how many people would've gone and downloaded Firefox if it were so difficult to execute a file downloaded from IE5/6/7 ?
Slashdot Mirror
Sliverlight offers more for the developer, not exactly for the end user. Since it enables developers to do more, easily, the benefits will pass on the users. Atleast that is the idea. Silverlight will open up Flash-like development to regular web developers who develop in Python, Ruby and C#, not just specialist Flash developers. And before you accuse me with your paranoid mindset, I am not a Microsoft employee.
What's so insecure about the MSIL(by which I presume you mean .NET) compared to any other environment(Java, Rails, PHP, etc)? I am really curious to know. I know this is Slashdot but please try not to reply with 'Everyone knows it is'.
Uh? Who was talking about communication between clients here? Did u reply to the wrong post by accident?
Some web frameworks make it easy to scale and some don't. I don't why you need to get all worke d up when people say Rails does not scale easily as well as other frameworks. Rewriting Twitter in C may not yield much benefits but if it makes it easier to go out and buy 10 machines and make it scale even with a algo that isn't super perfect or elegant, that's better than having a framework that doesnt' do that.
MS' ass is still bleeding from the reaming over Java.
MS accomplished what they set out to do with Java. They turned it into a non-entity for web(applets, not server) and desktop applications. The real fault lies with Sun though. All MS did was make extensions that made MS JRE(available only for Windows) run way faster and better than Sun Java(available for all major platforms). Developers started using those extensions because it made applets way faster and zippy compared to Sun Java.Sun realized this quite a bit late, sued MS and got a nice settlement close to a billion, but that made MS drop Java like a hot potato and go with .NET(they had plans for .NET from way earlier though, but dropping of MS Java was triggered by the lawsuit). This is why suddenly you couldn't download a runtime from MS and had to download only from java.sun.com.
I can't say I'm not happy with the result though. The JRE makes any decent machines go down on its knees when it starts and occupies a huge chunk of RAM for itself. It's as if suddenly 80% of your RAM and CPU are gone once the JRE starts. I remember running Azureus for a while on a 256MB laptop and waiting for minutes for Opera to show me web pages. Once I found a decent BT client that didn't use Java, I dumped Java apps(including OO.o :/ ) except for occasional Yahoo! Games. I hear it's better now, but like Lotus Notes, if it was once horrible, the new version can only be barely usable. Java is relegated to the backend of servers, calculating business logic and serving web apps, though .NET seems to be overtaking Java there too.
I am talking about the default options. I would estimate 90%+ of people out there won't configure their browser to auto-download files on a single click. What's your estimate? Most people don't change their default options. Hence Safari makes it unsafe for normal users because it silently auto-downloads stuff BY DEFAULT. You can auto-download stuff onto your mom-in-law's for all I care, but I don't want my mom to auto-download viruses on her desktop just because she happens to use iTunes and Apple sneaks in a half-ass made insecure Safari on her disguised as a iTunes update.
So how is this the same as SILENTLY downloading files on to the desktop or downloads folder?
I finally figured it out! I think they spend all their time on Slashdot modding anti-Apple posts as offtopic.
As I said, even if only a very few use use it, it's still a LOT of people.
No it's not. Your computer can be uploading all your files using idle priority cpu/disk and network and you still won't experience any usability issues. Unless you want to spin identity theft as a usability issue.
Thanks for the link. Konqueror on GNU/Linux brings up a save file dialog. Safari on OSX does the same. It seems like the problem is not with the browser.
That is some fucking awesome and brilliant spin right there, from both the Register and you. The vulnerability DOES work in OSX, it CAN carpet bomb OS X too. Read the article carefully. He says that vulnerability does not exist because Finder shows a warning before you open the already auto-downloaded files.Ignore the fact that downloaded files from Firefox show the warning in Windows. Ignore the fact that Safari for Windows does not do what it's supposed to do and mark the files as being downloaded from the internet. What if I write a browser for OS X that doesn't mark the file as dangerous? I bet Finder will execute it with nary a warning.
Why all this hubris and spin just because it's Apple? Why not handle it like Firefox does and be done with it? Do we see complaints from Firefox users saying 'Fuck! Firefox doesn't autodownload unknown filetypes. Please, Mozilla, let random websites download files of any size to one of my drives. Make use of those millions from Google. DO IT NOW!'?
Nice try. Sacrificing usability for security. Imagine how many people would've gone and downloaded Firefox if it were so difficult to execute a file downloaded from IE5/6/7 ?