I will be attending OSCON in Portland, OR. I’ll be flying in the evening of July 25th, and leaving the morning of July 29th. I’m rather excited, because this time I will actually know some of the people attending/speaking at the event, and I think there will be a lot of opportunities to meet cool people, trade ideas, and talk to folks about CERIAS and the PHP Security Consortium. If you’re going to OSCON and want to meet up, let me know!
Repeat After Me: Lack of Output Encoding Causes XSS Vulnerabilities:
I frequently and highly recommend RSnake’s XSS cheat-sheet to test web based applications and services for XSS vulnerabilities. If you are a web developer or tester, I do recommend that you test your application with the inputs suggested by RSnake to test for XSS issues.
Why is it that you make me, after installing your OS, install 27 “urgent” fixes, and only then let me install SP2? Do you enjoy wasting my time? I do not.
For utter shite in IT journalism, it’s hard to beat this turd that escaped from the bowels of Rob Enderle. Nothing annoys me more than clearly debatable points that are presented with no evidence, and Robbie’s article is filled with gems like this:
IE improvements are broad and easily eclipse those by Firefox and Netscape, but remember this is still beta code so these competitors do have time to respond. Web applications are now more effectively sand-boxed so they can’t do damage and IE extends tabs to include full preview windows. In addition, there has been a massive improvement in resistance to phishing which leads me to favor the Netscape browser for individuals. The new IE expands on the idea of tabs to provide real time views of the active pages.
First off, I’d like to hear what improvements IE7 makes that “easily eclipse” those by Firefox and its brethren. The ones I’ve heard about are things where IE7 is catching up to Gecko’s rendering engine, or adding features that have been in Firefox and/or related browsers for quite some time. Now I’m not gonna deny that there is some cool work going on in IE7 in terms of security, but it’s interesting that much of capability is only available on Vista, because XP — even SP2 — is fundamentally flawed when it comes to user permissions. IE7 will continue to be a successful attack vector with all pre-Vista versions of Windows, even assuming that protected mode is flawlessly implemented. And it sure as hell isn’t the case that XP users will be falling over themselves to upgrade, let alone the numerous folks who are still running 2000 Pro (the folks who are running stuff from the Win95/98 codebase have been fucked for years, so there’s really no point talking about them, even though they still are a substantial percentage of Windows users).
One thing that looks interesting the Atlas web app dev system. Basically it’s MS’ Ajax library, and among other cool stuff can integrate with WPF/E, a portable subset of the new Vista UI layer. When I say portable, I mean it, because at PDC they showed a demo of it running on a Mac in Safari. While the issue of a Firefox plugin hasn’t been addressed, it doesn’t sound like it would be to terribly difficult for a third party to do (at least on Windows). So yeah, neat shit, but it’s not specific to IE7.
Robbie talks a lot about how Apple needs to take Vista seriously. Yes, it does, for sure. But Robbie seems to think Vista is a serious threat to Apple — as serious as Win95 was to the Apple of 1994:
Apple will have to improve its game sharply to compete. However, given the strength at the back end, strength that Apple has never had, the exposure now goes well beyond Apple’s available resources. This means Apple will have to partner to avoid what may be the most damaging competitive threat the company has ever faced. While possible, Apple’s one prevailing weakness has been their inability to partner and unless that changes we should be able to call the outcome of this competition relatively easily — and it isn’t positive for Apple.
I call bullshit on that, though, because of something Rob points out:
Apple is again growing with the market and, unlike 1994, is dominant in an emerging market — digital music players.
Mac fans don’t really like admitting this, but the only reason Apple is totally kicking ass lately is because of the iPod. Apple is in an enviable position as the clear leader in the market with few companies with the resources and expertise necessary to mount a real attack against them. It’s a huge, publicly prominent position.
What this means is that, for the moment, Apple’s computer sales are kinda gravy. It doesn’t matter if they only have 3% of the market, because their massive media influence gives that 3% a lot more sway. So even if Vista steals a couple tenths of a percentage point from the Mac market, it doesn’t matter. Apple doesn’t need them to thrive, let alone survive.
Plus, Rob doesn’t even mention Google, the company that MS is surely most worried about right now. For an article dealing with how Vista and Office 12 position the company against all of its competitors, ignoring the big G is ridiculous.
WSJ.com - Battling Google, Microsoft Changes How It Builds Software:
The news got even worse: Longhorn was irredeemable because Microsoft engineers were building it just as they had always built software. Throughout its history, Microsoft had let thousands of programmers each produce their own piece of computer code, then stitched it together into one sprawling program. Now, Mr. Allchin argued, the jig was up. Microsoft needed to start over.
This was a pretty interesting article, and I imagine a more detailed examination of the change in software practices would be pretty interesting. It’s easy to hate the Microsoft, but competition is a good thing, kids, and MS getting better at what they do will push Apple/Google/et al to push back harder.
(Via Slashdot.)
Ed Finkler is a web application developer, security expert, graphic designer, and dabbling musician. He works for CERIAS at Purdue University. His opinions expressed here do not necessarily reflect those of his employer.
Photo by Terry Chay
RSS 2.0