This research was presented by n.runs at the 28th Chaoas Communication Congress: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html.
The presentation was recorded and can be viewed at http://www.youtube.com/watch?v=R2Cq3CLI6H8.
We have to build a mechanism to automatically update things. We did not do that. The right way to design, if we were to update things an updating protocol that automatically updates itself so when the next version comes up it knows where to find the next version rather than having to wait for a Windows update or whatever.
Actually, newer windows versions (Vista and later) use Microsoft's online Certificate Trusts Lists which allows exactly this. Microsoft revoked the DigiNotar certificate without issuing a real Windows update:
On August 29, 2011, Microsoft removed the trust from one DigiNotar root certificate by updating the Microsoft CTL. Why is Microsoft releasing an update? Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List to validate the trust of a certification authority. As a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.
(http://technet.microsoft.com/en-us/security/advisory/2607712)
That doesn't make sense:
1. Google serves all ads within Google.com from that same domain. No cross-site scripting anywhere, so nothing for the XSS filter to block.
2. For external sites (AdSense), disabling the XSS filter on Google.com won't help either: the external site would have to disable it. Otherwise anyone could just disable the XSS filter on their own domain and hack away on other sites.
Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.
And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.
There have been several beta releases for Internet Explorer 7 and 8. Still no need for nightly builds: if it's not release quality, why publish it at all?
In open source projects, nightly builds are mostly a service for developers/testers as well. And since everybody can help improve the code, having more people test can certainly be beneficial.
What if they'd just release their rendering engine, with a very simple UI which only lets testers enter a URL? After all, most of the problems are in IE's rendering engine, not in its UI. That would solve the problem of journalists etc. looking at it as a real product.
Now, I do doubt the usefulness. We can't improve the code like we can with open source projects. Giving feedback about the rendering engine isn't all too useful either, because the IE team cares about standards nowadays and uses many tests themselves (W3C testsets, Acid3, CSS3.info). They already know the bugs, so the only thing we could conclude with a nightly is how far along they are.
The package is called 'aria2', the command 'aria2c'.
Example usage:
aria2c http://releases.ubuntu.com/9.10/ubuntu-9.10-desktop-i386.iso http://releases.ubuntu.com/9.10/ubuntu-9.10-desktop-i386.iso.torrent
How will the ballot screen work? Will it redirect to the chosen browser maker's website, will it download an installer? If so, that'd be way too much work for 'simple' users and they'll just close the ballot screen leaving IE as the default browser.
Also, I can't help thinking that there must be a prettier way to make this ballot screen (outside of IE, preferably!).
Dynamically binding, you realize the magic. Statically binding, you see only the hierarchy.
