At first glance it appears that one could easily inject malicious script via a man in the middle attack. Now I'm sure that the designers have thought about this so my question is, how does JavaScript 2.0 protect against this?
You're talking about signed scripts, something not very commonly used. Something about being endlessly prompted to approve your browser's verification of the script's authenticity, or some crazy shit like that.
Point is, however, you're talking about a vulnerability that's in the network. Any protocol or script or program sent over the 'net is vulnerable, unless signed, and even that can be faked. A hacked DNS server at your ISP could redirect you to a phishing site when you visit your bank's website. Or, Verizon could redirect your negatory DNS lookups to one of their spam servers.
... one could easily inject malicious X... how does language/protocol/client Y protect against this?
See? So, the question you have to ask is, how common are MITM attacks? I don't know the answer, but it seems more likely that your bank or ISP or online retailer is going to "lose" a few million financial identities to hackers, than you'd fall victim to a silently-inserted malicious script.
But who knows? Web browser security is notoriously tissue-thin, so we all have risk profiles with non-zero p, and the MITM attack could come along any vector- flash, HTML, HTTP, DNS, SMTP, etc.
Look at all the malware out there, a far more tangible problem; downloaded by unwitting noobs, busily building networks of zombie spam bots or whatever. MITM seems a more risky technology investment for the digital conman, with the penalties of being traced and caught. Kind of amazing that malware authors aren't chased down the same way hackers are. Maybe I don't watch enought television - missed when Prezzie Bush signed the anti-malware bill into law.
Also - G-Archiver is not open-source. Open source would've increased the liklihood that this bug/feature came to light, sooner. I don't deny anyone a right to make a buck off their sweat, but you know the chance of this happening with OSS is less, due to public scrutiny and many prying eyes.
A complete lack of capitalization is the latest craze, but it and block-caps typing are often each a very rapid indicator of the intelligence of the typer in my experience.
hmm. this claim is plausible, if improbable coming from a user id under 70k.
however, because i'm just that kind of guy, i'll step in for you.
in modern *nix times, the use of all lower-case letters in electronic messaging has come to signify one is a 37337 4ax0r, or at least an individual with pretensions rooted in nerdness, and a resulting interest in preserving bandwidth due to the inherently greater compressibility that results from encoding messages with a smaller character set. as more and more internet communication is conducted on higher-bandwidth connections, from clients equipped with utf-* capability, instead of the flat 7-bit ascii nntp favored, this convention's technical justification has begun to fade.
there is a strong reaction against using all-lower-case letters in a message for this reason; sentences are more difficult to read without capital letters to signify starting points, and anyone willing to type in all lower-case is frequently unwilling to use punctuation or paragraphing, adding to the headache of potential viewers.
use all-lower-case letters sparingly, like a weak miso broth, and allow your writing steep time, thereby flavoring the word soup.
So what's better, tying yourself to a brand-spankin'-new, unproven technology, one that's still under development, and still released as "beta" -despite being labeled "version 2.0"- and requires downloads even for users of the latest MS o/s?
Or, stick with Flash, a technology that's been around for a decade, whose download size is still around one meg after all these years? Has tons of open-source projects around it, even open-source releases of the player technology? Think MS's OSP is gonna allow anything similar to take root around silverlight, and you're a sucker.
They're gonna be working on that thing for years. Every time you visit a "Silverlight-enabled" site, time to top off by downloading the latest patch release. And, ooops, what happens when a Microsoft Silverlight security hole is reported - your machine is now compromised, lucky you!
But here's the real barometer: Flash runs just about everywhere. Microsoft's put out versions with (buggy) compatibiliy for Safari and Opera. How long is the company that is anti-everything-but-Microsoft gonna support versions for these platforms? My prediction: the infamously fickle Microsoft will drop support for the lesser browsers within a year - that's their modus operandi.
Oh, and, whoops - Flash supports Linux, Microsoft's Silverlight don't. Mono doesn't count, they're still working on making SL 1.1 run.
Particularly when you realize just how fickle Microsoft is with its own "yup invented here" technology.
If Silverlight don't shine, Microsoft may drop it, like they have so many other technologies they've created from a "yeah we can beat XX with our own incompatible version" business strategy (substitute "Flash" for "XX" in this case.)
Well, there's the No-Fly List. I know a civil rights attorney in Manhattan who has to drive or take the train much of the time, because he's on the federal govt's unpublished, unacknowledged No-Fly List. He's never been charged with a crime, he's not a terrorist... but his firm represents a handful of them down at Guantanamo, and he's filed briefs on their behalf.
He's a Jew of European descent, caucasian by appearance. I think it's down to his job and the actions his firm takes on behalf of Guantanamo detainees.
What do the "worlds baddest guys" hate the most about America? Out Constitution.
That's a pretty good one... sounds like you actually believed W's sound-bites from that speech. Which means you believed the WMD speeches and probably still do.
The truth is, they hate that we get so many more cable channels than they do. As you alluded to with your Star Trek comment, *that* is the freedom that most Americans will be exercising today.
Well, I think he's inducing magnets through a magnetic field--not a metal. And this doesn't act as a break but instead speeds it up.
You're missing the point. In any generator system such as his, there are physical costs: bearing friction and air drag, to name two primary sources. They require a continuous supply of energy to be overcome.
Stupid-simple equation: startup energy - (drag + friction) = net system energy
His claim is no different from all other perpetual motion contraptions, that his technique will take the startup mechanical energy and use it to somehow generate additional mechanical energy. Meanwhile, the friction costs are removing energy from the system. To avoid that downward energy curve, it will require additional energy input to continue spinning. Where will that energy be coming from?
For coding, I find PHP5's syntax clearer - verbose keywords are the key, for me. For usage, I find Perl's better - simply require/use a module, instantiate, use, etc. Plus, the CPAN archive of modules and classes is outstanding.
However, I feel about Perl's OO the way I feel about Javascript's - it's syntactically weird, as you say, and not verbose enough for me. Too much implied through context and operators, not enough spelled out. That said, I tough it out and work with 'em both.
For Javascript, syntax is apparently going more verbose in the next major ECMA release... if I understand this correctly.
Haha - well, that's a good point, but one I won't concede due to my long-lived habits. =)
Some static properties you only want to initialize once, and they're not singletons or the like, so you don't necessarily want to trigger their initialization through the constructor. I suppose you could wrap the static initializer code in another static method, then call that method from the bottom of the.php file that defines the class. I have a recollection that there are problems with that.
PHP introduced a robust object model, and made it easier for its proponents to create well-architected Web sites and applications.
While I agree with the latter overall, I dispute "robust object model." What's missing? Polymorphism is sketchy, and static initializers are missing, for two. In PHP5, you can only initialize static properties with literals or constants - no function or method calls.
Also, calling up the inheritance chain, to a grandparent class's implementation of a method, is difficult to say the least.
While PHP5 is a *lot* better than PHP4 (and probably Perl if one took the time to compare) - it's not really comparable to truly robust OOP languages such as Java, Smalltalk and C++.
Mind you, I code in PHP5 for a living. It gets the job done, but it has to be called on its limitations, and you gotta be honest and tell programmers who want OOP from PHP5 that it has limits, and how to work around them. None of this "robust object model" stuff.
you think the Plame case was anything but a publicity grab and political stunt on the part of Ole' Joe Wilson?
Aha, now it all makes sense! Plame's husband Joe convinced her to convince Novak/Libby/Cheney/Rove to leak her name... because it would help John Kerry's campaign. Yup, I can especially see Cheney and Rove getting behind that one, what with the concurrent Bush campaign and all.
It was all a conspiracy, by the CIA through Wilson/Plame, to boost Kerry enough to defeat Bush! The friggin' CIA was behind it!!
And see how well all that worked out!! Moral of the story: never trust Company men with something better outsourced to your buddies over at Haliburton and Blackwater.
"diseased insects?" Care to give an example? Most what I know about insects and genetically-engineered crops is the BT toxin added to the corn genome. The corn emits Bt, which is then consumed by corn borer larvae, who die. It's a pretty interesting thing, except that you now have Bt toxin inextricably laced into commodity corn.
I like the idea of genetic engineering, and believe someday some serious good will come of it. However, when the FDA considers transgenic species "same-as" native, unaltered species, that's just too loose a policy for me. Many cases of pollen spillover have been documented, showing that transgenic plants are spreading. A side-effect is that wild plant species related to the transgenic species are picking up some of the new traits. So, there's no protecting wild species from our genetic fuckery, meaning we'll continue to see its effect over time.
Conclusions: The 2S albumin is probably a major Brazil-nut allergen, and the transgenic soybeans analyzed in this study contain this protein. Our study shows that an allergen from a food known to be allergenic can be transferred into another food by genetic engineering.
I... see where you're going with this... a pet that will surf the web for porn and sort the erotica into folders for you. Well, here's what you're going to end up with:
DoggyStyle/ MilkBoned/ ShortTails/ KittyCrush/ ... If you ask me, it's a race of time, between the animal behavioralists and Google.
Yes. but the term was coined by the British during the late 19th century. Came to prominent usage during the Second Boer War in South Africa, according to several sources.
Slashdot Mirror
You're talking about signed scripts, something not very commonly used. Something about being endlessly prompted to approve your browser's verification of the script's authenticity, or some crazy shit like that.
Point is, however, you're talking about a vulnerability that's in the network. Any protocol or script or program sent over the 'net is vulnerable, unless signed, and even that can be faked. A hacked DNS server at your ISP could redirect you to a phishing site when you visit your bank's website. Or, Verizon could redirect your negatory DNS lookups to one of their spam servers.
See? So, the question you have to ask is, how common are MITM attacks? I don't know the answer, but it seems more likely that your bank or ISP or online retailer is going to "lose" a few million financial identities to hackers, than you'd fall victim to a silently-inserted malicious script.
But who knows? Web browser security is notoriously tissue-thin, so we all have risk profiles with non-zero p, and the MITM attack could come along any vector- flash, HTML, HTTP, DNS, SMTP, etc.
Look at all the malware out there, a far more tangible problem; downloaded by unwitting noobs, busily building networks of zombie spam bots or whatever. MITM seems a more risky technology investment for the digital conman, with the penalties of being traced and caught. Kind of amazing that malware authors aren't chased down the same way hackers are. Maybe I don't watch enought television - missed when Prezzie Bush signed the anti-malware bill into law.
The fact that Windows 7 is coming out soonish gives credence to the rumour that it's a re-dressed Vista with lower hardware requirements.
Heheh, good point. I meant the user/password harvesting, given the opportunity for code review by people other than the developers.
Also - G-Archiver is not open-source. Open source would've increased the liklihood that this bug/feature came to light, sooner. I don't deny anyone a right to make a buck off their sweat, but you know the chance of this happening with OSS is less, due to public scrutiny and many prying eyes.
If there's a warm body at the receiving end of that email address, then you know they're fulla shite.
Anyone try sending email to the harvesting account?
hmm. this claim is plausible, if improbable coming from a user id under 70k.
however, because i'm just that kind of guy, i'll step in for you.
in modern *nix times, the use of all lower-case letters in electronic messaging has come to signify one is a 37337 4ax0r, or at least an individual with pretensions rooted in nerdness, and a resulting interest in preserving bandwidth due to the inherently greater compressibility that results from encoding messages with a smaller character set. as more and more internet communication is conducted on higher-bandwidth connections, from clients equipped with utf-* capability, instead of the flat 7-bit ascii nntp favored, this convention's technical justification has begun to fade.
there is a strong reaction against using all-lower-case letters in a message for this reason; sentences are more difficult to read without capital letters to signify starting points, and anyone willing to type in all lower-case is frequently unwilling to use punctuation or paragraphing, adding to the headache of potential viewers.
use all-lower-case letters sparingly, like a weak miso broth, and allow your writing steep time, thereby flavoring the word soup.
Because it's April F ... uh, nevermind.
So what's better, tying yourself to a brand-spankin'-new, unproven technology, one that's still under development, and still released as "beta" -despite being labeled "version 2.0"- and requires downloads even for users of the latest MS o/s?
Or, stick with Flash, a technology that's been around for a decade, whose download size is still around one meg after all these years? Has tons of open-source projects around it, even open-source releases of the player technology? Think MS's OSP is gonna allow anything similar to take root around silverlight, and you're a sucker.
They're gonna be working on that thing for years. Every time you visit a "Silverlight-enabled" site, time to top off by downloading the latest patch release. And, ooops, what happens when a Microsoft Silverlight security hole is reported - your machine is now compromised, lucky you!
But here's the real barometer: Flash runs just about everywhere. Microsoft's put out versions with (buggy) compatibiliy for Safari and Opera. How long is the company that is anti-everything-but-Microsoft gonna support versions for these platforms? My prediction: the infamously fickle Microsoft will drop support for the lesser browsers within a year - that's their modus operandi.
Oh, and, whoops - Flash supports Linux, Microsoft's Silverlight don't. Mono doesn't count, they're still working on making SL 1.1 run.
Ooh, and if anyone took a look at www.myloc.gov, you'd notice it is, indeed, a Flash site. Hmm.
Particularly when you realize just how fickle Microsoft is with its own "yup invented here" technology.
If Silverlight don't shine, Microsoft may drop it, like they have so many other technologies they've created from a "yeah we can beat XX with our own incompatible version" business strategy (substitute "Flash" for "XX" in this case.)
Did anybody else spot the 16,500 sqft. "Transient Employee Dormitory Building" on the blueprint? The fine print reads, "2 Story, 20 Units."
A hostel for Google engineers, on shift rotation at this week's datacenter?
Hotel Google.
Well, there's the No-Fly List. I know a civil rights attorney in Manhattan who has to drive or take the train much of the time, because he's on the federal govt's unpublished, unacknowledged No-Fly List. He's never been charged with a crime, he's not a terrorist ... but his firm represents a handful of them down at Guantanamo, and he's filed briefs on their behalf.
He's a Jew of European descent, caucasian by appearance. I think it's down to his job and the actions his firm takes on behalf of Guantanamo detainees.
That's a pretty good one ... sounds like you actually believed W's sound-bites from that speech. Which means you believed the WMD speeches and probably still do.
The truth is, they hate that we get so many more cable channels than they do. As you alluded to with your Star Trek comment, *that* is the freedom that most Americans will be exercising today.
You're missing the point. In any generator system such as his, there are physical costs: bearing friction and air drag, to name two primary sources. They require a continuous supply of energy to be overcome.
Stupid-simple equation: startup energy - (drag + friction) = net system energy
His claim is no different from all other perpetual motion contraptions, that his technique will take the startup mechanical energy and use it to somehow generate additional mechanical energy. Meanwhile, the friction costs are removing energy from the system. To avoid that downward energy curve, it will require additional energy input to continue spinning. Where will that energy be coming from?
Answer: his butt.
We've got chemistry here! You feel it? I felt it!
For coding, I find PHP5's syntax clearer - verbose keywords are the key, for me. For usage, I find Perl's better - simply require/use a module, instantiate, use, etc. Plus, the CPAN archive of modules and classes is outstanding.
However, I feel about Perl's OO the way I feel about Javascript's - it's syntactically weird, as you say, and not verbose enough for me. Too much implied through context and operators, not enough spelled out. That said, I tough it out and work with 'em both.
For Javascript, syntax is apparently going more verbose in the next major ECMA release... if I understand this correctly.
Haha - well, that's a good point, but one I won't concede due to my long-lived habits. =)
Some static properties you only want to initialize once, and they're not singletons or the like, so you don't necessarily want to trigger their initialization through the constructor. I suppose you could wrap the static initializer code in another static method, then call that method from the bottom of the .php file that defines the class. I have a recollection that there are problems with that.
While I agree with the latter overall, I dispute "robust object model." What's missing? Polymorphism is sketchy, and static initializers are missing, for two. In PHP5, you can only initialize static properties with literals or constants - no function or method calls.
Also, calling up the inheritance chain, to a grandparent class's implementation of a method, is difficult to say the least.
While PHP5 is a *lot* better than PHP4 (and probably Perl if one took the time to compare) - it's not really comparable to truly robust OOP languages such as Java, Smalltalk and C++.
Mind you, I code in PHP5 for a living. It gets the job done, but it has to be called on its limitations, and you gotta be honest and tell programmers who want OOP from PHP5 that it has limits, and how to work around them. None of this "robust object model" stuff.
Hey, was this ever proven? I remember it being a big deal, at the time, but never heard whether a case was filed.
Aha, now it all makes sense! Plame's husband Joe convinced her to convince Novak/Libby/Cheney/Rove to leak her name ... because it would help John Kerry's campaign. Yup, I can especially see Cheney and Rove getting behind that one, what with the concurrent Bush campaign and all.
It was all a conspiracy, by the CIA through Wilson/Plame, to boost Kerry enough to defeat Bush! The friggin' CIA was behind it!!
And see how well all that worked out!! Moral of the story: never trust Company men with something better outsourced to your buddies over at Haliburton and Blackwater.
"diseased insects?" Care to give an example? Most what I know about insects and genetically-engineered crops is the BT toxin added to the corn genome. The corn emits Bt, which is then consumed by corn borer larvae, who die. It's a pretty interesting thing, except that you now have Bt toxin inextricably laced into commodity corn.
Aventis Crop Sciences patented a variant of Bt corn, called StarLink corn. It contained a variant of the Bt toxin that was considered potentially allergenic to humans - StarLink was banned by the FDA for human consumption, but StarLink corn was later found in corn taco shells at Taco Bell.
I like the idea of genetic engineering, and believe someday some serious good will come of it. However, when the FDA considers transgenic species "same-as" native, unaltered species, that's just too loose a policy for me. Many cases of pollen spillover have been documented, showing that transgenic plants are spreading. A side-effect is that wild plant species related to the transgenic species are picking up some of the new traits. So, there's no protecting wild species from our genetic fuckery, meaning we'll continue to see its effect over time.
How about brazil nut allergen in genetically-engineered soybeans? It happened: "Identification of a Brazil-Nut Allergen in Transgenic Soybeans."
Oh yes! A closed-source, proprietary solution that will probably be unspiderable! Let alone incompatible with all the other browsers.
At last, a way has been found to reduce microsoft.com's pagerank!
Talk about shooting oneself in the foot...
A case of Brawndo runs $40 for 24 cans, or about $1.70 per. Isn't that ... pricey?
Looking at the rest of the site, I get the impression that this is part of the DVD marketing campaign (like somebody else posted.)
I... see where you're going with this... a pet that will surf the web for porn and sort the erotica into folders for you. Well, here's what you're going to end up with:
...
DoggyStyle/
MilkBoned/
ShortTails/
KittyCrush/
If you ask me, it's a race of time, between the animal behavioralists and Google.
Yes. but the term was coined by the British during the late 19th century. Came to prominent usage during the Second Boer War in South Africa, according to several sources.