Posts by Kristian B 15 publicly visible posts • joined 19 Jul 2009
They've just thrown down the gauntlet... let the attacks on their online banking customers commence, using age old IE6 security holes :P
How many script kiddies are now going to put up proof of concept pages which open the Chase online banking log on page in a new window, inject ECMAScript into it and alter the DOM to add "HaX0r3d by Timmy! Libilar!" next to the password field... with the help of good old Internet Explorer 6 ?
That wouldn't work with PHP's MySQL or MySQLi interfaces as they only allow execution of a single query, not multiple queries separated by semicolons. So in that example it would only be possible to read data, not delete/update/insert anything.
I'm surprised so many high profile sites make such basic mistakes and harbour vulnerabilities like this!
Didn't Stallman pretty much pioneer the reciprocal copyleft model of open source that thrives today?
Before that there was only the non-reciprocal academic model of open source, which can be used in propitiatory software and distributed as compiled binaries - without releasing the source code or giving attribution.
Half of the networking tools that are part of the Windows operating system are examples of the latter.. just pulled from BSD, ported to windows, and branded as Microsoft.. and no you can't see the source code or use the software without an MS licence. (But you can open the executables in Notepad and see the BSD copyright notices among the binary garbage.)
So the old model of open source isn't very "open" after all... Hence the need for the term FOSS - to differentiate between the old way and the open and free (FREEDOM) way.
Is Jobs going to ban the web now?!?
Could Apple push out an update that automatically uninstalls Safari or maybe just disables JavaScript on the grounds that it's an interpreted language and hence already banned - but they only just realised?
It's ironic that the beloved HTML 5 web application spec is what will give all this power and richness to web apps - which are inherently cross-platform / device independent.
In fact, if Mr Jobs is so anti anything he can't control, I'm surprised he even acknowledges that the web exists. He's been so busy hyping HTML5 and singing the praises of open standards while fighting his war with Adobe... I think one day he'll regret it.
Look how increasingly irrelevant win32 is becoming today, thanks to the web. In Microsoft Land, the web is public enemy #1! It's like what world communism would be to the United States.
How long before Apple realise they helped give the web teeth and now it can bite them.
Oh dear! The patent system in the US is a joke!
Shame it's not going to change any time soon, when the USPTO is laughing its way to the bank everyday while handing out patents like candy bars to anyone with a mere idea.
Clearly, the USPTO is a government agency intent on making a quick buck, even if it harms the economy and kills the very thing it's supposed to encourage - creative innovation - while causing a massive problem for businesses and the courts to deal with, which has the happy side-effect of keeping a whole bunch of IP lawyers in business who duly return the favour by feeding the input valve with more so-called "patent" applications. It's an economy unto itself.
You've got to love the crass audacity of legitimised corruption in Yankeeland. It doesn't even try to hide itself or divert attention, it's just out there in broad daylight hitting the economy, especially small businesses, with a baseball bat. Software patents aren't assets, they're weapons.. the Patent Office runs around supplying arms to any company with the right cash, perpetuating the insipid "them against us" dog eat dog mentality, then standing by counting its profit and watching the fallout.
Software patents are like nukes, everybody is infringing each others, all the big boys have an arsenal pointing at each other.. Linux & open-source have the coalition led by IBM pooling and sharing their arsenal.. no one can move.. It's the equivalent of a cold war we're in.
Just a couple of months ago, several of our Windows XP machines got screwed up by a false-positive antivirus alert which caused the antivirus service to delete critical system files. We couldn't believe it at first, all users login to limited accounts but the weak link was the antivirus service.
The machines wouldn't boot normally but did boot into safemode. Unfortunately, the System Restore facility failed so we couldn't just roll back to a restore point. While manually restoring the system, Microsoft's anti-piracy subsystem kicked in, rendering the system useless as it disallowed safemode logins.. and the system wouldn't boot normally. So we were locked out because Windows didn't think its licence had been activated, but we couldn't login to register/activate it!
Now just a couple of months later, this has happened.. an official Microsoft update has rendered the systems unusable again!
We're now looking at deploying a Debian-based Linux distribution on all our desktops. Microsoft Windows is a far too unstable for serious business use!
Microsoft buys company... company drops its Linux/Unix software. Just like when Apple a acquires a company... they discontinue the Widows versions of its software. Time and time again.. it's no surprise.
Wake me up when Microsoft start playing the Apple game of trying to tie software to hardware. When they launch their "Microsoft Certified Hardware" scheme and only permit Windows to be used with Microsoft-labelled or Microsoft certified hardware (inc. peripherals). Naturally they would only certify the hardware of vendors who promise to never provide drivers or support for Linux or Unix platforms. Then, like Apple they could go around suing anyone who installs Windows on computers that are not Microsoft-labelled or certified.
@David Webb
What are you talking about "full internet device", "device for viewing the internet", and "play the majority of the internet" ?!?
The Internet is an infrastructure of interconnected networks. I think you mean the Web (World Wide Web), which is just one network service.. not the "full internet".
People will disregard your comment as someone who doesn't know the difference between the internet and the web is obviously clueless.
@Daniel B.
What are you talking about "interpreted languages add unnecessary overhead"?
Anyone using PHP in a production environment uses an accelerator (optcode cache) so unchanged scripts are immediately executed and not re-parsed and compiled on each request.
Do you honestly think sites like Yahoo have their servers wasting time interpreting PHP source on every page request?!?
People stupid enough to use Internet Explorer deserve everything they get!
It doesn't matter what we do, it's impossible to protect such people from themselves!
Anyone caught using Internet Explorer should have their computer confiscated and replaced with a big box of crayons!
And any IT department allowing IE use in their business needs to get a pin and pop the Microsoft bubble they live in!
The government should recommend open-source software due to the fact that it is inherently more secure than closed-source alternatives.
The security of MS Windows and Internet Explorer is entirely dependant on Microsoft keeping the source code ("blueprints") secret and reacting quickly to fix holes that are discovered and exploitable. Yet still, months or years after the software is released and in widespread mission-critical use by business and government, security holes will be discovered by poking the software from the outside, even without knowing the internal details.
Whereas the source code of open-source operating systems and browsers is released for anyone to see. The "blueprints" are published and viewable by the world. Thousands of developers around the globe can study the internal details of the software. Thousands of eyes are looking for and communicating any potential security implications in the design or implementation.
Most of the "security vulnerabilities" reported and fixed in Firefox were discovered by looking at the source code and most had no actual exploit/attack vector. Compare that with IE where all of the security vulnerabilities were discovered from the outside and have current real exploit mechanisms and are actively being used in attacks.
Open-source is the only way forward. Propitiatory closed-source software will always be dangerous.
The EULA only exists because of copyright!
An End User Licence Agreement is a licence to use their copyrighted work (the software)... If it weren't for that intellectual property right, anyone would be able to do anything with the software without a licence!
Under the same intellectual property right, there's nothing to stop a record label from including an EULA with Music CDs stating that you're only allowed to play the music in a Sony-branded CD player... as long as you see the terms of the licence before you buy the CD.
That's were the problem comes in for software EULAs... In common law jurisdictions, such an agreement is not legally binding unless both parties to the agreement derive "consideration", in which case the agreement is considered a "contract" (a legal agreement, enforceable in law).
But when you install the software and agree to the EULA, the software company does not derive consideration so no contract exists. The payment you made when you bought the software in a store is consideration in a separate and completed contract that you entered into with the store, so it's "past consideration" and in contract law past consideration is no consideration. Therefore, when buying software in this way, most EULAs are merely agreements binding in honour only.. not legally binding or enforceable.
Anyway, I can't wait until Microsoft get desperate and start playing the Apple game of trying to dictate what hardware you can use with their software. They could start a "Microsoft Certified Hardware" scheme and only certify the hardware of computer companies like HP and Dell if they agree to NEVER distribute systems with other operating systems, like Linux! And only certify peripheral devices if the vendor agrees to not distribute drivers for other platforms.
Then EVERYBODY would be crying foul, while Apple can get away with relative murder!
@Juan Inamillion:
You're not a web developer are you? Have you even read the standards?!?
No browser exists or has ever existed that supports the standards in their entirety. And it's a good job, considering that XHTML 1.0 - the W3C recommendation since 1999 - actually breaks the HTML standard! Any browser that bothered to implemented the spec would not correctly parse half of the websites online today, because XML empty elements (e.g. <br/>) collide with the SGML SHORTTAG constructs from HTML 2.0+ (e.g. <br// and <p/This is the paragraph content/). But no major browsers ever implemented the SGML minimization features so W3C happily went against their own standard and screwed anyone that did implement it.
It's now 10 years after XHTML became the official W3C recommendation and Internet Explorer still doesn't support it! So we have to do the dirtiest things like serving XHTML with the "text/html" mime type telling all browsers to treat it as SGML-based HTML and not use XML parsing.. which was the whole point of the swap.
Also W3C is back-pedalling now and developing the new HTML 5 spec separately.
Half of what makes the web great today, which most developers reply upon, are de facto standards like the innerHTML DOM extensions and XMLHttpRequest (AJAX) object. Even the new ECMAScript spec (JavaScript standard) officially prioritises the current use of the language over strict conformance to its spec.
So now thanks to web standards, half the web is XML-based HTML but served with the wrong mime type (meaning the browser uses its SGML parser and see lots of syntax errors) and the other half of the web is correctly SGML-based and served with the right content type header. And on top of that almost all website depend on an array of de facto standards and non-standards.. GREAT!
WOOO Go web standards!
It's not a "bug"! It is documented and is the expected behaviour. The way Microsoft Excel handles the situation was initially a bug, then it became a "feature" as everyone was used to it and expected it.
It's like saying the DELETE key is a bug because it destroys data, when in the Microsoft bubble "DELETE" means just hide or move to special location pending restoration.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
