Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Discussions

Bass Bass Knows the way the wind is flowing.
  • Why no Silverlight or Flash

    , evildictait​or wrote

    Exactly. The fact that even the web committees are debating adding these things is a good point to end this conversation, because it's a direct admission that there are fundamental flaws and use cases that the web doesn't cater for and which need to be added into the standards, since these basic use cases can't be solved with a sprinkling of JavaScript, but require foundational reform of the web's core standards.

    Even here, though, your response is lacking. For PGP to be safe on the web, it needs the private key to never be exposed to JavaScript (otherwise one of those pervasive XSSes is going to take your PGP private key, or you're going to have to copy and paste it everywhere)

    And it doesn't look like CSRF or XSS are on the way out either.

    The web has a lot of problems still. But I'm glad the web committees are not as blind to that fact as you are.

    I'm personally happy we got from "web is fundamentally flawed" to "web is not perfect yet" (of course, of course, with a healthy dose of indignation, but that can't be helped). :)

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    I don't care whether DRM works. I care that Netflix started in 1999 and DRM online still isn't standardized. The fact that you can view it in Chrome without Silverlight is because Google got pissed off with the ideological BS of the committees and just implemented and pushed it in their browser.

    Do you mean using the W3C spec I linked to? Which is also supported by Internet Explorer and Mozilla Firefox?

    In short, the web basically said it didn't support Netflix's business model - one which hundreds of thousands of paying customers clearly did like - forcing Netflix to opt out of the core web and turn to plugins in order to work around this core deficiency of the web. And why? Because the web-committees were ideologically opposed to their business model.

    Well obviously this wasn't the case, since the W3C endorses the EME. Supporting DRM on the web was not a decision I agreed with. My personal opinion is we shouldn't be building the web to prop up idiotic business models or technologies. I wouldn't want the web to become 'fundamentally flawed', after all. :)

    PGP (or end-to-end encryption in a more general sense) is another example. There is simply no way I can replace Desktop PGP with an online application because the web simply doesn't support safe end-to-end encryption, in stark contrast to desktop apps.

    We're pages in and you've had to concede that the web has major foundational issues in security (you still can't cite a single website that's never been affected by two very specific classes of bug caused by mis-designs of the web), and major foundational issues in functionality, because things like PGP simply can't be safely implemented on the web's platform.

    How you continue to make the absurd claim that the web has no underlying issues and all of the remaining problems can be fixed with just a light sprinkling of JavaScript is totally beyond me.

    Anybody with an inkling of common sense can see that the web has serious issues that still need to be worked out. And until and unless you stop drinking the Kool Aid, you'll be unable to see how to make the web actually better.

    http://www.w3.org/TR/WebCryptoAPI/

    http://www.w3.org/TR/2013/WD-webcrypto-usecases-20130108/#encryptedWebMail

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    Sounds like you misunderstand DRM pretty seriously. It's about stopping kids pirating movies during the period immediately after cinematic release when the movie industry makes 99% of all of the money from the movie, not about stopping piracy in the long run.

    But that's all an aside.

    Who cares why someone wants DRM - or whether you think that view is wrong? That's a business decision by a whole other industry, and it's their problem to sort out. It's not for web committees to make that decision on their behalf.

    HTML is supposed to be a neutral platform. The fact that web's committees are blocking applications that exist perfectly fine outside of the web based on their personal ideology is just more evidence of the broken mentality and architectural flaws at the center of the web, and frankly a key reason why HTML has failed to kill off Flash and Silverlight.

    And PGP is just the same. I can't use PGP over Gmail in the browser. Why? Bullshit ideology. Want to play Call-of-Duty in the browser? No. Ideology gets in the way.

    This doesn't affect other platforms. Windows doesn't say "DRM is good". It says "You can have DRM if you want it". It didn't support PGP when it was fighting the US government in the 90s. But it didn't deliberately cripple the ability of the computer from doing encryption because "information wants to be free" either.

    That's the issue here. The web has architectural flaws that prevent major classes of application from being able to run on it full stop, as well as architectual flaws that make writing websites expensive, hard-to-maintain and non-secure by default.

    And it's all pointless. The web could be secure-by-default. It could be a neutral platform that you can write whatever program you want for. It could be easy to make a site that is obviously going to look the same on every browser.

    But it isn't.

    Until we recognize these architectural flaws and address them head-on, the flaws will persist, instead of fixing them and improving the productivity, capability and usability of the web for all.

    But what are you complaining about?  I can watch Netflix without Flash or Silverlight. It's not even a new feature, this has been the case for awhile. Did you legitimately not know this? See the W3C spec. I guess the system works, right?

    The DRM doesn't actually do anything to stop widescale filesharing though. You can see proof of that in how fast Netflix exclusives pop up on torrent sites (hint: about the same time they come out).

  • Why no Silverlight or Flash

    The clusterfuck that is playing Blu-ray movies on computers can largely be traced back to DRM. I mean, it's all pretty standard codecs behind the scenes, all of which are bundled with Windows. But I guess it's Microsoft's ideological anti-DRM BS at fault.

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    No. DRM isn't about crypto. It's about allowing me to stream 1080p movies from content publishers that insist they are streamed over DRM.

    I don't care how the DRM is implemented, or whether it's cryptologically unsound. I care that the HTML committee are using ideological anti-DRM BS to get in the way of me streaming high-quality movies without having to install third-party plugins.

    And if you think DRM is, or was ever about crypto, that only goes to show how much of a fantasy-land you live in.

    I think the existence of DRM only proves one thing, content industry execs are morons. There are plenty of vendors of DRM solutions making a killing from that stupidity. Is that who you work for? It's kind of like a medical doctor selling homeopathy.

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    LMAO. Yeah. Local crypto is fundamentally flawed. Good one Bass.

    Um no. DRM is fundamentally flawed. Here is a system for once that deserves the moniker. It's an attempt to protect data while giving people the decryption key.

  • Why no Silverlight or Flash

    , TexasToast wrote

    Bass loses the argument and now he plays dumb.   Why don't he just admit he is wrong?   If I am ever wrong, I am sure to admit defeat.:D   Silverlight is better than HTML browser based apps.    Case closed.   (I did like the conversation to a point but now it should end)   Also,  better technology does not always win in the market.  Many factors can cause one technology to win over another.

    Go ahead and use Silverlight. :D There is even a mostly dead FOSS project you can go contribute to if you want to make it happen.

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    No. It has architectual problems now because of several mis-designs in the 90s - many of which were widely known to be a mis-design back then, and is still affecting us now (like "be liberal in what you accept" was widely known to be a stupid philosophy then, and it remains a cancer on the ability of new browsers to enter the market now).

    Some of those mis-designs have since been robustly fixed - like cookies fixing the fact that HTTP originally was unable to be stateful, and without which sites just failed to properly work.

    Some of those mis-designs are opt-in, leading to major bugs across huge sections of the web that haven't opted in. Like the fact it's not encrypted by default (see also: Channel9 is not SSL) - and this is a straight-up bug in the web. That one was harder to see in the early 90s, but we're more than two decades on and we still don't have mandatory SSL for all sites. This is a bug in the web.

    Some of the mis-designs are a tax on developers. The fact that its hard for developers to be confident that their design will work on all browsers (in contrast with, say, Silverlight, Flash or WinForms). This misdesign doesn't help users. It's just a cost to the whole industry and absorbs developer time away from doing something more useful like adding more features to their site.

    Some of the mis-designs are a tax on both developers and users. The fact that textual-generation of HTML and stateless-by-default HTTP leads to pervasive XSS and CSRF across basically all sites is a cost primarily felt by both users when their data goes missing, and companies who have to pay to clean it up, or hire expensive security consultants to come in and point out all of the bugs.

    And some of the mis-designs are ideological BS getting in the way of major classes of application being able to move to use the web. The fact that I can't run code straight on the metal of the machine means I will never be able to play AAA game titles in my browser. The lack of DRM in the video-tag means major companies like HBO and Netflix will be unable to stream their highest-quality videos to me without resorting to non-HTML components like apps and Silverlight. The lack of a local private key store means you can't do end-to-end crypto that is necessary for doing, say, PGP over Gmail without potentially exposing your private key to the site.

    These are real issues, and are not issues that can be solved with a new framework or a bit of whimsical JavaScript. They are architectural issues in the way the web was designed, and until we acknowledge the web's flaws and limitations, we will never be able to fix them and move past them.

    You realize that all those problems have been solved recently? Local crypto and DRM (which is hilarious coming from a security guy, talk about something that is truly fundamentally flawed) are part of recent W3C specs.

  • Why no Silverlight or Flash

    You seem to completely ignore the hyperlink question. You either don't realize or are entirely ignoring that if I am to allow for hyperlinks, I can't magically produce software that decides for me if any given request was triggered for malicious intent. You can make the assumption that requests from a different referrer are inherently malicious, but that's a bullsh!t assumption. Obviously that would break search engines, and many other things, and well, it just really workable or realistic.

    There is a saying in computer security: the only secure system is one that is turned off. Although I don't agree with that: it's too optimistic. Someone could still break into the facility and steal it. So Bass's law of computer security: The only secure system is one that has been chucked to the depths of Mount Doom, which is blown up then blown up by Tsar Bomba just to make sure. Even then, I'm not sure DARPA won't figure out some way to reassemble it.

    The reality of computer security is that you try to make a computer system as secure as possible given it's requirements. A car manufacturer doesn't remove their car engines to increase the safety profile. You don't get a free pass to gimp the computer system in the name of security. That's pretty damn basic stuff.

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    No. It's not about having some vulnerabilities. It's about having architectural vulnerabilities.

    All sufficiently complex software will eventually have vulnerabilities. But substantively all websites have XSS and CSRF because the web was mis-designed.

    Had it we killed the anti-pattern of textual generation of HTML right at the start, and made HTTP stateful, I'd be struggling to find a single example of XSS or CSRF, rather than you struggling to find a single website that hasn't been vulnerable to them.

    There's a saying in computer security: It's either secure by default or its not secure. The web not being secure by default against XSS and CSRF is a bug in the web itself - as clearly proven by the fact you still can't find a single example of a site that's never been affected by one or the other.

    But the fact that the web has architectual flaws shouldn't be a surprise to anyone with an ounce of common sense. The entire history of the web is a litany of re-engineering to fix architectural flaws in the web.

    Cookies fixes the architectural bug that webpages were stateless. Web-storage fixes the architectural bug that it's otherwise impossible to store data client-side. SSL/TLS fixed the architectural bug that it was unencrypted. ActiveX fixed the architectural bug that it wasn't interactive - and HTML5 fixed many of the architectural bugs in the web that were introduced by using ActiveX as a hack. HSTS fixes the architectural bug that sites could be downgraded by active-MITM from SSL to HTTP. We've had to layer fix after fix onto browsers to fix the architectural bug that HTML had no canonical representation on browsers, leading to decades of nightmares for web-developers.

    The web now is fundamentally different to how it was when it started, precisely because the web was built on sand and needed to be fixed. To claim it was made perfect by Jesus and George Washington right from the start is to misunderstand how much energy has been consumed fixing major issues the web has had right from the start, and major issues that it continues to have.

    We'll get there eventually. But we'll get there a whole damn sight faster if groupies that think the web has no problems get out of the way and let professionals get on with fixing the architectural bugs that have haunted the web since it was misdesigned in the 90s.

    Hmmm.. not sure I follow. It seems your new argument is now that the web is fundamentally flawed because it didn't solve all possible anticipated and unanticipated problems back when it was first prototyped by Sir Tim Burners-Lee. Is that correct? Or did you just move the goalposts and your new claim is the far less controversial "the web is not yet perfect"?