Clearspace Recent Blog Comments Syndication Feed

RE: Rich Internet Applications Death Match!

RMH — Wed, 03 Sep 2008 15:28:55 GMT

Hi URPradhan,

Can we move your discussion about features in Curl to the discussion list? I think that's a more appropriate venue for that discussion.

RE: Rich Internet Applications Death Match!

URPradhan — Wed, 03 Sep 2008 10:13:39 GMT

I just had an interaction with a Flex guru and he told that its very very simple to apply flashy effects like fading, dissolve, fly-out, animations, etc ... to RIA applications using Flex/Flash. But still Curl lacks these

Any plan for native integration of these into Curl ?

RE: Rich Internet Applications Death Match!

friedger — Wed, 03 Sep 2008 07:34:03 GMT

Voting has been closed, but you can still leave a comment.

RE: Curl Development Tools for Eclipse (CDE) is now Available!

friedger — Tue, 02 Sep 2008 10:30:22 GMT

Note, that you can find the source code of the plugin at the bottom of the page with the license agreement!

RE: Professional Web Based Training Courses in Curl for Free!

URPradhan — Thu, 28 Aug 2008 04:06:54 GMT

if you can share the source code of curl demos hosted at www.curl.com to public, it will be a good learning material for all.

RE: Why Criminal Hackers Will Love Adobe AIR

peabulls — Sun, 24 Aug 2008 00:05:59 GMT

a couple random thoughts

as i was reading through the article and associated comments .. i played a little game where every time i saw a reference to Adobe AIR i replaced it with something like Java or .Net .. i found that most of the statements were just a valid with these replacements (Daniel touched on this in his comment) .. essentially the singling out of AIR, in this context, is frivolous. i might have preferred an article titled "Why Criminal Hackers like the amateur software trade" or on a less negative note "Why Criminal Hackers hate curl" .. it seems like that article might have better addressed the issues inherent in our current software distribution model and even possibly offered some solutions for both future software developers and developers with large existing code bases or other extenuating circumstances that prohibit them from changing development environments.

now there are 2 conflicting dichotomies that make the above topic difficult to discuss ..

firstly, we have "Casually loaded Internet gadgets" vs applications that need system access .. (for the sake of this discussion we will pretend that there is no area of gray between these two) .. I think most would agree that the gadgets have absolutely no need to run outside of a secure sandbox of some kind .. I personally would agree that most applications don't need any more access than those gadgets do .. but that leaves us with applications than need system access ..

which bring us to our second dichotomy .. professional software vs amateur software .. a company, in the case of the type of application that needs system access, can do the whole signed application / certificate thing to prove their software is 'legitimate' .. but a weekend developer, just trying to get his/her stuff out there for people to see probably doesn't have the cash (or desire to spend the cash) to 'verify' their software .. i understand that an end user can still download and install this software if they "agree to a pretty scary warning" but ..

a company that i was working for allowed users to place links to external sites on their profile .. now obviously, within the first week some malicious users took advantage of this to redirect naive users to password mining copies of our login page (despite copious warnings against trusting links on a users profile) .. so then, every time a user clicked on an external link .. we popped up an alert, notifying the user that he/she was navigating off the site .. (almost no change in the number of accounts compromised in the above manner) .. next step: every external link went to a page where, on a red background, bold text notified the user that they were leaving the site .. (only slightly fewer passwords were compromised)

when you are in an environment that offers both limited-secure and unlimited-nonsecure interactions .. you have to trust the user to apply their better judgment to the situation .. unfortunately, and don't get me wrong .. i love the little scalawags, users don't want to read your important warning message

(as a side note, on the point of signing .. while great for 'man in the middle' hacking .. i feel the need to point out that once, on a lark, a few of my friends and i chipped in on getting a piece of malware properly signed through Verisign.)

ok .. last thing .. then i shut up:

software development is a landscape of ever changing topography .. and right now, one of the prominent features of that landscape is amateur developed applications .. we see this on sites like face book, and in the casual gaming community .. really all over the place .. in the past, the lion's share of our interactions with this 'software' was mediated by a browser, and the sandboxes that come with it .. but this has been changing .. people don't always just want a little freeware gadget or game .. there are applications now .. and some of these applications cannot be run from a locked down sandbox .. and this obviously has the potential to cause a lot of damage .. but it also breaths a lot of new life into the software development community

now we could solve the above problem by creating a solution in a single language, and bullying everyone else into using it .. but even if you could get everybody to agree on your solution .. one of the big reasons multiple programming languages exist is that they all solve for different problem domains .. furthermore, those problem domains evolve over time .. so the likelihood of your solution or language still being applicable (or even existing) in 20 years is pretty low

it seems to me that if we are really intent on making the software world a safer place for users to navigate, we need to focus on a solution that is language (or even context) agnostic .. maybe it's a lightning fast virtual runtime that can encompass any VM and act as an internal firewall who's rules are set by an external team of experts (like modern virus software) .. or some topographical change to the way we build operating systems that separates 'secure' actions from 'insecure' ones .. or even a system that can cleverly trick users into learning enough about how their computer works to make informed decisions when those crazy popups tell them that they have to make some arbitrary seeming choice .. I believe that solution to be Adobe Air .. just kidding .. i wanted to see if anybody was still reading at this point .. to be honest, i have no idea where such a solution might sit .. security isn't my milieu.

RE: Why Criminal Hackers Will Love Adobe AIR

RMH — Sat, 23 Aug 2008 07:27:20 GMT

Daniel,

Your response is well reasoned and you are right: there are certain applications for which you need a native installation. However, this is not the case for all applications or even (I would argue) most applications.

Take the application you are developing as an example. Does it need full system access; is it necessary for the application to be able to access your entire hard drive? Does it need to be able to connect to arbitrary ports? Start arbitrary processes? Probably not. Most applications don?t. Yet, this is the kind of functionality made possible by native installations, which is the type of installation you get with Adobe AIR.

Imagine a world in which native installs are the exception, not the rule. Where most applications could not access your entire hard drive, silently open arbitrary ports or start up processes. Wouldn't the world be a safer place for our computers? Our data?

Obviously we are not going to change the world, but we can offer an alternative to enterprises that choose to take advantage of it. Curl offers a platform where it?s assumed that applications don't need system wide access. An environment in which every application your employees use is viewed as potentially dangerous.

If you are an enterprise and you set up Curl, most applications will run without you having to agree to anything because they are effectively innocuous. An application that is completely quarantined from the rest of your system is fairly harmless. Obviously, we cannot protect people from social engineering but we can stop arbitrary applications from doing anything they want after they are downloaded and installed.

We say to our customers: Don't settle for an environment where arbitrary applications can do just about anything to your system. Insist on a safer environment, one in which employees cannot download malicious applications by intension or mistake.

With Curl you can deploy, and users can install, applications that have full privileges to the system, but you have to buy a license to create them (a financial road block to hackers but not corporations) and you have to agree to a pretty scary warning if you want to install the application. In addition administers can block a users ability to install privileged applications or grant permissions for Curl to run specific privilaged applications signed by a known certificate authority.

We can't change the world, but we can make it safer one enterprise at a time. In the end, however, it?s up to each enterprise to decide. Do they want their users to be able to download malicious applications or not? If the answer is "no" than they need Curl as their common runtime for applications. If the answer is "Yes we do want users to be able to install malicious applications" than they can use any solution they want.

I hope that helps explain our position on this issue. We offer a safe environment to run arbitrary applications. Any environment that allows for natively installed applications (including Adobe AIR) does not.

All the best,

Richard

RE: Why Criminal Hackers Will Love Adobe AIR

Daniel Rosenstark — Fri, 22 Aug 2008 21:12:44 GMT

It's obvious what the problem is -- that no security is provided -- but the exact same thing happens if I distribute a Java app via Webstart (or via download, like my www.confusionists.com/handsonic) or if I distribute a .Net app (as I do with www.thekbase.com). What would be the "first publicized exploit?" You mean, a malicious application?

My question is, what kind of solution do you want? Most users who have a personal firewall installed say "yes" to every access request, because otherwise STUFF DOESN'T WORK. There is no simple answer to this. Imagine an app that says, "this so and so app wants to delete some stuff from you /opt/whosit directory. Is that okay?" How should a user respond. As computers are being used by more and more people, more and more people do not know what their filesystem looks like.

A real solution -- for AIR, like for .Net or Java or native applications -- would include some kinds of security levels or something (i.e., the sandbox would have to be comprehensible to the end user). But what would it require of the user? What kind of user would be able to benefit from it?

We have all types of malware because OSes (and VMs) provide a service, which can be used for evil as well as good. Security is really really hard stuff to do, because we want our OS or VM or whatever to continue providing a service. Critics are everywhere but solutions that are viable for the masses are few.

Excuse my naivete and getting to the conversation late. I'm just thinking of using AIR for my next app and happened to have found this thread.

RE: A second iteration and a first alternative

rshiplett — Sat, 16 Aug 2008 15:12:42 GMT

|| I may use this as a style-sheets template for Curl 6, 7 applets
{api-version-switch
case "6+" do
{import * from CURL.GUI.STYLED-CONTROLS}
{install-style-sheet
{get-default-style-sheet}
}
}

RE: A second iteration and a first alternative

rshiplett — Fri, 15 Aug 2008 15:07:25 GMT

The 3rd and 4th indices use a text-proc, not a proc

3rd and 4th will be printable

4th is intended ti be modified so user can add entries as CSPD as that book came with no index

I have modified the 4th index to be abridged; I will add an uncommented index as a link to be a usable index