29 posts • joined Friday 14th September 2007 19:33 GMT
The title is required, and must contain letters and/or digits.
What bothers me about this article is not the vulnerabilities themselves. Yes, graphics drivers are buggy, any most likely exploitable through GLES and GLSL if you're not careful. This is bad.
What bothers me is that it is being painted as an end-of-the-line, unfixable problem for WebGL. It's not. Browsers could add sanity checking to values passing through the WebGL layer. GLSL shaders could be sanitized. It'll hurt performance a bit, but what are you going to do? Hell, Google Chrome on Windows is already passing the OpenGL commands through a translator (ANGLE) to translate them to DirectX (and therefore is translating GLSL to HLSL) to bypass the dodgy OpenGL situation on Windows, so I see little reason why sanitization cannot be added to this as well. Similar should be possible for any browser, though Google may have a head start due to ANGLE.
I'm not saying this will be easy, but I really don't see why it's painted as being so very impossible. Hell, Google wrote a sandboxing architecture to allow x86 code to run safely from the web. This should be doable.
The title is required, and must contain letters and/or digits.
SpiderMonkey, TraceMonkey, JaegerMonkey, IonMonkey?
What the everliving fuck are these people ON? I realize that developers like to give things codenames early on, but seriously, how the fuck am I supposed to know what this shit does? To the outsider, it's utterly impenetrable. Worse than 'regular' jargon.
@me n u
Good luck with that.. since the addition of Android phones, Virgin Mobile hasn't been able to keep their data network up and running. The Sprint network proper seems okay, so it's unclear what's going on, but I wouldn't put my money there right now. Wait and see; maybe they'll fix it, but I'm not holding my breath.
The title is required, and must contain letters and/or digits.
"Apple should still produce patches, otherwise security conscious people would have to upgrade."
I'm sure Apple is real broken up over the idea that security conscious people would have to upgrade.
Microsoft doesn't ship OpenGL drivers with their OS these days, so ma and pa who never update drivers from the video card manufacturer's website don't have OpenGL support. This very likely accounts for a large majority of machines.
Also, Intel's 3D drivers for Windows have pretty abysmal OpenGL support, as I understand it. Not that Intel's 3D drivers for DirectX have a sterling reputation either; however, their chips are very common, because most people don't know any better, nor do they care to.
"Obviously, if you want to run a 64-bit operating system in a VM, you need to have a 64-bit host."
You may think that's obvious, yet, VMware lets you run a 64-bit guest on a 32-bit host, assuming your processor/chipset supports it in the first place. Obviously.
@A J Stiles
Oh, so you can take code for Windows and just run it through GCC on Mac OS and it will just work, eh?
The actual reason that Chrome is so slow to be released on Mac OS X is due to problems implementing their one-process-per-tab architecture on OS X. You see, Windows has no problem allowing a window from one process to be parented to a window from another process, thus how the content from a tab process can be rendered within the Chrome window. But Mac OS X, as of 10.5, doesn't support that.
So, they've had to rearchitect that part of the system for the Mac port. Therefore, delay.
But, I'm sure if you were on the team, they'd be done by now.
Don't have the right according to who?
"From where we sit, however, Palm doesn't have the right to tweak its iPhone competitor to make it pretend to be something it's not."
The hell they don't. It's just bits, ones and zeroes, and not even particularly interesting ones or zeroes. It's a vendor ID field, _a number_.
If they want to tweak it to claim to be 7, 42, or the square root of 2, more power to them.
Having seen this tech in action before (http://www.etc.cmu.edu/projects/bvw.html), I can tell you right now- that spacecraft is *doomed*.
Trying to get the audience to coordinate their motions in any sort of sane way is like herding cats.
The real reason
Google may try to obfuscate their reasoning with ridiculous statements like "Your computer has to do extra work to decrypt all that data" (my Core 2 Duo is more than capable of decrypting one paltry GMail session, thank-you-very-much), but their real reasoning is clear.
They don't want their servers to have to do all that "extra work" to ENcrypt all the data. It would mean they'd have to buy more servers, and that would hurt their bottom line. That is, ultimately, all that any company gives a shit about (do-no-evil or otherwise). Oh, and I suppose that using more servers isn't 'green' or something- I'm surprised they didn't trot out that line. Save the planet, ban encryption!
They give you the option to turn on https to placate the savvy users, but everyone else gets whatever uses the fewest CPU cycles. If you expect them to do anything else, you don't understand how a business works.
Get real, complainers
"The REAL question is what else in their system failed that allowed a surge to get that far into the network..."
EVERYTHING failed; it was a direct lightning strike. If you think you have a surge protector that works against that, I suggest you get yourself to the patent office straight away.
"The better question is why didn't UPS and generator kick in"
Oh come ON. Lightning doesn't cause a power INTERRUPTION; it eats your infrastructure for breakfast. Nothing is going to protect your data center from a lightning strike. Oh, so you have a UPS system? Well, when the massive current fuses every metallic component in your UPS into a giant conductor, fat lot of good that will do you.
I have (had!) a backup server hosted by these folks... I used to have some more important stuff there, but pulled it out a few months ago because HyperVM was making me nervous. They pulled the entire control panel down several times since recently due to suspected vulnerabilities in the software.
Basically, HyperVM looks like a house of cards so I think it was only a matter of time before it got hacked. The control panel appears to run as root on each VPS host, of course any outward-facing thing can get hacked but there ought to have been some level of abstraction between the control panel and the VPSes to slow down the hackers. Doesn't seem like there was though.
Pretty glad I moved my stuff when I did.
I for one welcome our micropayment overlords
Seriously, I am tired of the attitude that everything on the internet should be free and that ad revenues are a viable way to sustain a business.
There is only so much advertising that you can shove down the throat of consumers. It is just advertisers advertising for advertisers advertising for advertisers at this point. It is just a bubble that is going to burst sooner or later.
That's not to say that it is reasonable to expect me to pay $25/mo for a service that used to be ad sponsored when I know full well that the advertisements you served to me brought you a grand total of 4 cents of revenue. Let's just be realistic- you bill me for 8 cents instead of 4, you make twice the money, we can all go home and I can stop looking at ads for pointless bullshit I don't need or want and will never click on.
This title would be a hyperlink if it were allowed
With all of the hyperlinks in this article, I figured the reg signed up for some sort of contextual link ad company or something (Kontera and friends).
Seriously, we know how to use a search engine, I don't need every second word to be blue so I can be linked to an explanation. This is an IT website.
We're going to complain about what, now?
"More-adventurous users might be happy to download their own non-Microsoft players, or treat the netbook as a lightweight second machine that doesn't need media. Most ordinary consumers won't, though, and will - rightly - expect a fully functioning, self-contained PC package out of the box."
Please... OEMs will just bundle PowerDVD or something which they can license for pennies. Microsoft removing DVD support from the OS (frankly, I didn't realize it ever had it) is hardly a loss. Ordinary users will GET a fully functioning, self-contained PC because the OEMs will make it so. It's the more adventurous users that will have to go to extra effort to rip out the preinstalled bloat.
Also, as it has already been pointed out, netbooks don't have an optical drive.
Well that's the funny thing about the world, isn't it? If you want me to care about your project enough to contribute, you better give me a reason why I care in the first place. I'm not going to contribute out of pity.
C'mon, seriously? Blaming Python for PSP's bloat? Besides that PSP was already a bloated pig at v7 (v6 was probably the last lean version), you're just tossing personal vendettas into the article.
"I don't like Python so nyaaaaaaaaa"... that's all I got from this.
Barn door is open?
Will have to test this next time I use Paypal (I have a Paypal fob). If this is really true then one has to wonder what exactly the programmers at PayPal are smoking. A validation function that returns success regardless of input? Awesome coding guys!
I'm not sure how exactly a security vulnerability this wide slips through the cracks. Testing, wonder if they've heard of it?
On a tangent, why the hell does Paypal make me answer a security question after I have successfully (1) provided my user ID, (2) provided my password, AND (3) provided my key fob number thing? It's beginning to get on my nerves, and I'm not sure I understand what additional security it is generating. If they've stolen my password AND my fob, then congrats, they probably deserve access to my account already.
The more important question.....
This seems to imply that The Gap is collecting Social Security Numbers from people who have APPLIED for jobs but don't actually work there.
I wouldn't give any employer my SSN until I was damn well being put on the payroll.
@ the previous poster
Hah, yeah, you can't update your credit card through their system, but at least they let you do it online somehow (not that e-mail/phone is overly secure but..)
At my *other* host, they make me fax them a signed form for changes. Fax! Who has a fax machine? Have to go to Kinko's just to update my billing details....
Annoying but not a real problem... unless you're dumb
So they say the attack had the potential to expose names, addresses, phone numbers, email addresses and server login details.
The first four points are of course true. The fifth (server login details) is true as well, but only because people are dumb enough to give their server provider their root password (to fix a problem, etc.) and then NOT CHANGE IT AFTER.
I lease a server from LT and although I've certainly changed my support portal password, I'm not losing any sleep over the security of my server itself. Any server password I ever gave to their techs was changed the moment after they were done with it. They have no business retaining any valid logins for my server after that point.
I have trouble feeling sorry for anyone who doesn't follow this basic security procedure.
Phone? Who needs it?
Must be in Europe that the mobile phone reception doesn't suck inside buildings (last job was in Canada).. heaven help me if I tried to use a cell phone inside the office, it would be dropping constantly or all I would hear was a bunch of garbage... or sometimes I could hear the other party but they would just hear a bunch of garbage from me. Useless. Desk phone all the way.
At my current job I don't even have a phone. Let the receptionist answer the damn phone. If someone needs me, they can bloody come talk to me. I love it.
Nice idea, but...
Although at some level I like this idea- I don't really believe that the masses will ever be smart enough to run their own damn computer- this proposal seems to raise more security concerns than it solves.
You're putting the security of your box in the hand of some 'geek' you've never met who works for the management company. (Or maybe just a 'volunteer' to the project?) Maybe that geek is trustworthy. Maybe he's not. All it would take is one malicious 'administrator' to turn all the boxes into a botnet.
This sort of things works pretty well in a corporate setting, where you're turning over control to the IT department, who you have some level of 'relationship' with and some reason to trust them, but to turn over control of a personal computer to an organizaton with offices hundreds/thousands of miles away (maybe outsourced to India someday), enh, I wouldn't let my granny do it.
Unless granny is turning over control to someone she already trusts (i.e., her geeky grandson)- which pretty much eliminates any edge this has over existing Linux distributions- then I fail to see how they intend for this to be trustable in a grander fashion. They better have an ace up their sleeve if they intend for this to go anywhere.
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- Lightning strikes USB bosses: Next-gen jacks will be REVERSIBLE
- OHM MY GOD! Move over graphene, here comes '100% PERFECT' stanene
- Beijing leans on Microsoft to maintain Windows XP support
- Google's new cloud CRUSHES Amazon in RAM battle