Comment Re:That will include badmouthing politicans (Score 1) 489
You seem to have some problem with reality. Maybe get help?
You seem to have some problem with reality. Maybe get help?
What, you will not allow a budding totalitarian regime to do what it does best, namely terrorize its population? You must be a troll! Off to jail with you!
Of course. It is just like in 1984: Language gets controlled to that people may not voice their thoughts anymore.
It is also cheaper to have your client's browsers get hacked than your servers. But you are right, the bean-counters are at the root of most evil these days.
I know that. That person has the valid excuse that JavaScript was never intended to be used for anything large or security-critical. It was a quickly hacked-together tool to do small things like changing the color of a button on mouse-over. The problem is all the utterly clueless morons that think JavaScript and the browser are suitable for real computing.
That is just not true at all. Maybe look at what secure software engineering can do these days?
Thanks, that is exactly what I am saying. If technology is not done sanely, there usually is a huge cost to pay at some time that invalidates all advantaged gotten.
"I want" is not a valid excuse for using fundamentally defective technology. It is just an expression of egomania.
While not impossible to do in principle (see qemu), such a VM is exceedingly slow.
Not everything that comes from the NSA is bad. Also, not everything they do can easily conceal backdoors. Some insight into the subject is required to understand what things comming from the NSA are dangerous.
1. Basically, all crypto that uses "magic constants" without a clear and complete spec of how they were reached is highly suspect. That includes most ECC crypto the NSA has done so far and is likely the reason the NSA and some vendors like RSA are pushing for the use of ECC crypto.
2. On a bit more abstract scale, all crypto implementations that do not have their full design and design rationales published are highly suspect. They often represent a compromised design, that, for example, may in some instances get compromised but not in others. ("compromised design", because it is not possible to verify from the outside whether the implementation is compromised or not and there are both compromised and non-compromised implementations that look the same from the outside.) A good example is Intel RDRAND, which is definitely a compromised design. It has a number of design choices that go way beyond "clueless" and must be intentional. The pathetic excuses of the lead developer and the pressure by Intel to use it as the only randomness source basically confirm things: https://plus.google.com/+Theod...
3. But then there are other things. SELinux is an access control layer, and while configuring it is a bit convoluted until you get the hang of it, there is no complex mathematical magic in there that you can use to hide backdoors. In fact, its implementation is rather simple. Hence it can be easily expected, and intentional security flaws will be very hard or impossible to hide. That is why SELinux deserves a high level of trust.
What people overlook is that the NSA is not monolithic. It has its intelligence devision (the evil scum that basically try to take the Internet away by making it as insecure as they can), but they also have a part that is tasked with actually securing IT infrastructure. While the NSA should be disbanded and its former and current leaders should be locked away for life as recognition for all the evil they have done to the human race, they have done and published some pretty good work as well. And as with any government bureaucracy, the right hand of the NSA does not know what the left hand does.
Somebody has standardized some interface, but that is vastly different from having a generally accepted "standard interface". Seriously, some insight required in this discussion.
They do, but that is not the primary problem. The primary problem is that these "tools" attract coders that suck.
Yes, because the dumbest programmers and most IT-challenged managers are found there. Hence it is no surprise they standardized on using the worst tool available that just about can still get the job done. And yes, from code security reviews of quite a bit of "business" Java code for decidedly "enterprise" settings, I do know what I am talking about. I have never seen anything so stupid anywhere else as what I routinely find in Java "enterprise business applications".
An excellent reason to use C (not C++) for business applications is that then you avoid all the really dumb "coders", because they cannot get anything to work with it. An equally valid choice with better productivity would be Smalltalk, Eiffel or Haskell. In all these cases you need coders with a clue. They tend to be more expensive, but only per hour. In overall project cost, they are far, far cheaper.
Actually, it it you who does not have any clue what you are talking about. Conceptually, operationally and in general "feel", the difference between 1 server and 25 is far, far larger, than between 25 and 100'000. But it takes having had that experience to see that.
Well, since of all these sites I use only Amazon and Google, it seems that JavaScript is primary a tool for wasting people's time. No surprise. But who says I refuse to use JavaScript? That is entirely in your mind. I will just call trash trash, even if I use it because there is no good alternative.
"Given the choice between accomplishing something and just lying around, I'd rather lie around. No contest." -- Eric Clapton