lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.21.0309021258540.6601-100000@arlen.osc.edu>
Date: Tue, 2 Sep 2003 13:02:39 -0400 (EDT)
From: Igor Filippov <igor@....edu>
To: Simon Brady <simon.brady@...go.ac.nz>
Cc: bugtraq@...urityfocus.com
Subject: Re: RIP: ActiveX controls in Internet Explorer?


It seems the patent in question covers not only client-side
executables, but server-side as well:
"Once selected the program object executes on the
user's (client) computer or may execute on a remote server or additional
remote computers"
So, not only javascript/flash/java are subjects of this copyright
but any CGI/whatnot application as well -  or am I reading it wrong ?

Igor



On Mon, 1 Sep 2003, Simon Brady wrote:

> On Sat, 30 Aug 2003, Alun Jones wrote:
> 
> > The descriptions I've heard of this suggest that this patent could be
> > applied equally to prevent (or grab payment from implementors of)
> > Javascript, Java, Flash, etc.
> > 
> > I'm with you on the security issues with ActiveX (and Javascript) - I
> > disable ActiveX on the principle that it has no security consideration, and
> > Javascript on the basis that it's been frequently implemented in a
> > vulnerable manner.  But this is a considerably further-reaching patent than
> > merely killing off ActiveX.  Before we sing "ding dong the witch is dead",
> > let's have some concern for the peaceful Wiccans that might be next on the
> > chopping block.
> 
> Java and Flash aren't exactly free of security issues either. In fact, I 
> would go further and argue that the whole notion of a controlled 
> client-side runtime environment for remote code has been an unmitigated 
> disaster for the web (and this is solely from a security perspective - see 
> http://members.optusnet.com.au/~night.owl/morons.html for a refreshing 
> take on the usability crisis they've caused).
> 
> I'm not just referring to current implementations with their appalling 
> defect rates. All client-side runtimes, no matter how well-written,  
> inherently reduce security. That's their function: to give outsiders 
> access to your machine they otherwise wouldn't have.
> 
> Even more insidiously, their prevalence numbs users into a mode of thought
> that it's quite normal and healthy to let this happen. How can the
> security community promote safe browsing when users are being forever
> brainwashed into ignoring or disabling security features for the sake of
> pointless but pretty downloadable applets? How can we encourage content
> developers to reduce attack surface when fashion demands yet more
> gratuitous bells and whistles?
> 
> Web applications belong on the server. The more widely this patent gets
> applied the better off the browsing public will be.
> 
> --
> Simon Brady                             mailto:simon.brady@...go.ac.nz
> ITS Technical Services
> University of Otago, Dunedin, New Zealand
> 
>     I don't speak for my employer, and they don't speak for me.
> 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ