theposse.org: It Came from the AOL news feeds

It Came from the AOL news feeds - 5/20

2005/05/12 15:36:35 CDT by burn
Edited at 2005/05/20 00:50:40 CDT

I figure that I will keep updating the same post and take the old ones down daily. Not really sure how long the share link works anyway.

Added at 2005/05/12 15:38:56 CDT

Your Weather Bug is worried - I hate Santorum! (for many reasons... this just ads fuel to the fire)

http://mp.aol.com/video.index.adp?pmmsid=1343956&_AOLFORM=w708.h344.p7.R1

Added at 2005/05/12 22:06:37 CDT

In case anyone forgot Israel and Palestin still hate each other
http://mp.aol.com/video.index.adp?pmmsid=1343828&_AOLFORM=w708.h344.p7.R1

That Tsunami we had 5 months ago... really powerful!
http://mp.aol.com/video.index.adp?pmmsid=1343805&_AOLFORM=w708.h344.p7.R1

New Credit Cards Comming... are any of you worried about this?
http://mp.aol.com/video.index.adp?pmmsid=1343919&_AOLFORM=w708.h344.p7.R1

Ah yes the Internet is amazing... star wars leaked... NOW
http://mp.aol.com/video.index.adp?pmmsid=1343955&_AOLFORM=w708.h344.p7.R1

Added at 2005/05/12 22:42:56 CDT

If you would like to see differn't stuff or you think this is a waste and don't want me to do that post below.

2005/05/12 16:05:37 CDT by Temporal

Links worked for me. Had to install the AOL media plugin thingy, but that was easy since they apparently provide a firefox version all rigged up to install with a couple clicks. (I assume AOL doesn't put viruses in their plugins, right?)

2005/05/12 20:49:36 CDT by burn

Only when you don't pay attention.

2005/05/13 01:02:00 CDT by Temporal

The stereo is strange in these videos. Sometimes the narrorator will come from the left while people speaking come from the right. Other times it wanders around erratically.

Incidentally, it occurred to me that I might only be able to see these because I use RoadRunner. I know I get free access to CNN's videos because I'm a RoadRunner subscriber.

Added at 2005/05/13 01:04:08 CDT

Oh yeah. Dumbest. Cops. Ever.

"I will now fire into a vehicle while another officer is standing on the other side!" And that's to say nothing of all the houses around with people in them.

2005/05/13 11:56:03 CDT by burn
Edited at 2005/05/13 12:00:13 CDT

Yes that has something todo with the way the video is compressed. I have no idea why that happens. Thats just how we get the video from CNN.

2005/05/14 12:52:18 CDT by mattsteg
Edited by burn at 2005/05/14 21:15:35 CDT

Wee, if I close a firefox tab with an AOL newsfeed in it it crashes my browser.

Added at 2005/05/14 12:54:21 CDT

And if I just navigate away it leaves a processor-sucking zombie process running.

2005/05/14 16:48:16 CDT by burn

Thats not the only thing wrong with your browser

http://secunia.com/advisories/12979/

http://secunia.com/advisories/15292/

Basically Iframe issues and content type headers.

Although my browser (opera) can't play them at all.

On a side note the new version of AOL 9.0 is the new security addition.

2005/05/14 17:50:41 CDT by mattsteg

Actually one of those is already patched and the other partially so.

2005/05/14 21:12:44 CDT by burn

Quote from mattsteg:

Actually one of those is already patched and the other partially so.

I know... those links would have been more pertaining at the beginning of the week but You really can't just throw those out until someone mentions Firefox. I mean I could link to all IE's vulnerabilities but that would be out of context.

Added at 2005/05/14 21:15:05 CDT

That is until someone mentioned it

2005/05/14 21:14:30 CDT by burn

Speak of the devil...

http://secunia.com/product/11/

2005/05/14 23:47:35 CDT by Temporal

As alternative products like Firefox and OSX gain popularity, they are proving to be no more secure than Microsoft's products. And why would we expect otherwise? Microsoft's programmers are some of the best; MS has no reason to hire anything less. No, the real culprit here is the security paradigm that our entire computer infrastructure is built around: Access control lists. Until we move to capability-based security, software is simply not going to get any better.

2005/05/15 00:12:28 CDT by burn

I don't think that anyone here would say that the programmers at Microsoft are not some of the best. Security holes and Bugs are not completely their fault; decisions are made, production timelines are created, and there are older applications they need to incorporate. I think the issue is that when a vulnerability comes out in Opera or Firefox you can be sure that they are trying to get it fixed right away (in fact the Firefox team had a work around posted within the first 24 hours).

I would propose that while the people at Microsoft want to fix the software the corporation won't let them or slows them down. There are vulnerabilities that have been known about for months yet have not been fixed.

Temporal - I really don't know much about capability-based security (and I do not want to do a Google search) however is that not what Microsoft antivirus does? IE asks if you want an executable to change registry data or connect to the servers.

Also it is still based on the weak link in the chain; people. Sooner or later people just won’t read prompts.

2005/05/15 03:05:19 CDT by Temporal

No, it isn't. Capability-based security is much, much more than that. It's a complete programming paradigm, and needs to be supported either by the OS or the programming language (preferably the latter) to work properly. Evlan is based on capability-based security. It's a fairly complex topic, but if you are interested you could read the following links:

http://www.skyhunter.com/marcs/capabilityIntro/
http://evlan.org/concepts/capabilities/

The vast majority of the security holes that we see Microsoft, Mozilla, Apple, and others patching on an almost daily basis would simply not happen with capability-based security. Viruses, adware, and spyware would be nearly impossible to write in such a system. We talk about how it's stupid for users to run programs they receive in their email. Well, guess what? On a CBS system, it would be perfectly ok to run them. It's our computing paradigm that is stupid and makes it unsafe to run software that you don't fully trust.

Unfortunately, Unix started this paradigm and no one has made a serious attempt to challenge it. In fact, for most programmers, the fact that there is another way has not even occurred to them. It's funny since capability-based security is essentially equivalent to pure object-oriented design... but a lot of programmers don't even realize the security implications.

2005/05/17 14:11:53 CDT by mattsteg

Quote from Temporal:

Well, not exactly preferably the latter. In the end it needs to be in both, and it needs to be implemented in a way that is comprehendable by users, which once again brings us back to somewhat of am impasse. Capability-based security is great for writing secure programs and helping clueful people stay safer. However, you still get into the issue of who determines what capabilities a piece of software has. Because of this issue, the benefits of capability-based security aren't quite as complete as you suggest. From the point of view of a developer writing software that needs to be secure, it's great, but the benefits against malware are less clear.

Quote from Temporal:

Even on a CBS system someone has to set the permissions, and inevitably a lot of people are just going to say yes when asked "should I let this app do this?" In the end you still fall back to trusting or not trusting the user. Sure, you can make them jump through more hoops to screw up their system, but when $COOL_SCREENSAVER asks to access some component of the system they're bound to say yes. You can only go so far before you run into the human factor. Apps will still ask out of their sandbox. Things get a tad more secure, but holes still abound.

2005/05/17 22:59:49 CDT by Temporal

Quote from mattsteg:

In the end it needs to be in both,

Actually, for software written in a particular language, if the language implements CBS, it doesn't make much difference if the OS does. The only real problem is that the OS still has a whole lot of security features which are then no longer needed, and thus just wasting resources.

Quote from mattsteg:

and it needs to be implemented in a way that is comprehendable by users,

Visual software assembly. Basically, manipulate capabilities via drag-and-drop. When you install a program, you will be asked to drag over the capabilities needed. Granted, not all users will get it, but I don't think it will be any more difficult than hooking up a VCR. And if $COOL_SCREENSAVER wants you to drag your e-mail address list over to it, who is going to do that?

In reality, the majority of programs need very few capabilities to operate. A text editor only needs the ability to open a GUI window and to read/write files which the user drags into it. A music player would additionally need an audio output device; drag the speaker icon from your system tray. Very few programs need, say, direct access to the filesystem, and thus I would make it hard for the user to grant such a capability (such as by tucking it away deep in the system's control panel, behind warnings about security implications).

The point I'm trying to make here is that I would not allow programs to pop up a box asking "Do you want to give this program access to ____? yes/no". Doing so obviously makes it too easy for programs to obtain rights they shouldn't have. I would force the user to take an explicit action that shows the user knows what they are doing. And I honestly don't believe this will be that hard for users to understand, with the right UI.

As a result, most software will simply be written to avoid needing dangerous capabilities since most users won't provide them.