Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Internet Explorer The Internet Security

Brian Hook on the ActiveX Experience 523

Obiwan Kenobi writes "Brian Hook of id software fame got around to developing on ActiveX and found some minor grievances, particularly in the security department. To quote: "I've been doing some ActiveX coding on the side for a couple days, stuff I'm not familiar with, and I'm just flat out _appalled_ at how bad that entire API and design is. I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.""
This discussion has been archived. No new comments can be posted.

Brian Hook on the ActiveX Experience

Comments Filter:
  • by Assmasher ( 456699 ) on Monday January 17, 2005 @12:33PM (#11386723) Journal
    I wonder if anybody knew that before... LOL.
    • TO elaborate, this has been an issue ever since the very first active X control was invented. No default installation of Intercrappy explorer has every allowed unsigned active x controls to auto-install for this very reason. The issue pre-dates IE 4 (3 as well afaik.)
      • by sepluv ( 641107 ) <blakesley AT gmail DOT com> on Monday January 17, 2005 @12:53PM (#11386973)
        And what may I ask makes a signed active-X control any less dangerous than an unsigned one?
        • You know the author.

          An unsigned control can come from anywhere, a signed control comes from the signing authority.

          Would you install a firefox extension from a random web site or only from those that you trust?
          • by realdpk ( 116490 ) on Monday January 17, 2005 @01:02PM (#11387081) Homepage Journal
            A signed control can come from anywhere, too. A lot of spyware is signed.
            • by LO0G ( 606364 )
              Sure. But you know the signer. And you agree to install it.

              Same is true for a firefox extension. By installing the extension, you're saying that you know and trust the originator of the extension.

              Code signing allows you to KNOW the originator of the control - they had to pay money to Verisign (or whoever) to sign their code, which rules out a lot of random malware.

              Now then, it IS possible to hide the origin of the control (if the control comes from "You must agree to load this control to view your Div
              • by Waffle Iron ( 339739 ) on Monday January 17, 2005 @01:41PM (#11387496)
                Of course you have to trust the CA who issued the certificate that signed the control

                Does Verisign review the source code for the controls that its certificates are applied to? I think not.

                About the only thing that we can "trust" is that Verisign got a check from the developers. The ability to mail a check != trustworthiness.

              • "But at least signing gives you verifiability."

                OK, so in your search you find that the extension was signed by a company in the Bermudas or India or something. Do you really care to take it further than that?

                "Of course you have to trust the CA who issued the certificate that signed the control"

                There are no trustworthy CAs. They've all made mistakes, and there will be mistakes in the future. The whole CA thing, mandated through browser warnings and such, is a "false sense of security" scam.
              • by Fulcrum of Evil ( 560260 ) on Monday January 17, 2005 @02:35PM (#11387984)

                Sure. But you know the signer. And you agree to install it.

                I'd rather have the Java model, where it requests specific permissions. I actually don't know the author, unless it's MS or Macromedia or someplace similar. Real security is proactive, not reactive. Besides, most software absolves itself of all responsibility, so what could you really do? Show up at their door with a baseball bat?

              • ...to play in FireFox's sandbox, not to t0t411`/ 0wn3rz uR |-|4r|) |)15k or any other hardware you happen to have, which is the level of trust you're extending to ActiveX.

                There's a slight difference.
    • by Frymaster ( 171343 ) on Monday January 17, 2005 @12:39PM (#11386799) Homepage Journal
      I wonder if anybody knew that before...

      well, it is pretty obvious. although the key phrase here is "if the user's security settings are set low enough."

      i mean, any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose. if you set your entire filesystem to 777 then you're completely vulnerable on any unix-based os too.

      the real questions here are:

      1. how low is "sufficiently low"
      2. how low is the security level out of the box
      • by Gordonjcp ( 186804 ) on Monday January 17, 2005 @12:45PM (#11386880) Homepage
        If you set your entire filesystem to 777 then loads of stuff will just throw up its metaphorical hands and refuse to run. Try it on a throwaway box some time (actually, User Mode Linux is good for experimenting with Practical Unix Terrorism, but that's a whole other topic).

        • Not to mention the fact that even if you did manage to set everything to 777, you still wouldn't be in trouble at all, as long as you a) are the only one with access to your computer and b) aren't running any buggy software.

          Of course, the second requirement is exceedingly hard to guarantee, but it still beats the Windows situation where no bugs are required to provide the attacker with an entry point.

          Unless you consider ActiveX a bug in itself. Which you probably should.
      • by jellomizer ( 103300 ) * on Monday January 17, 2005 @12:48PM (#11386915)
        Well people start getting these warning messages and they realize that they are usually there to help them out they just go and lower their security settings so they don't get botherd by the messages. While the average useser plays dumb they will ineateate a high amount of intelegence to say get his online poker game to run. But after it corrupts his drive he will point to you and tell you to fix it.
        • Of course, these things are not restricted to a specific operating system and applies to an amazing amount of software as well. The technique goes under the name "social engineering".
      • by All Names Have Been ( 629775 ) on Monday January 17, 2005 @12:53PM (#11386977)
        i mean, any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose.

        The problem is, there aren't many OS's out there that arbitrarily run dangerous code from a web page with no interaction from the user other than visiting the page in question, low security settings or not.
        • Bingo. (Score:5, Insightful)

          by Weaselmancer ( 533834 ) on Monday January 17, 2005 @12:59PM (#11387056)

          That's it exactly.

          To put it another way, if you change a single setting in a single program (IE) any web page can zap your system. To make your *nix box as insecure, you have to change the file permissions for every single file on the system.

          IE is a single point of failure. That's what makes the comparison invalid. You'd have to go out of your way to screw up a *nix box that bad.

          • Re:Bingo. (Score:5, Insightful)

            by adiposity ( 684943 ) on Monday January 17, 2005 @01:40PM (#11387481)
            Actually, that's false. This is only true if you run in windows as "root" (Administrator). If you login into X-windows as root, you're just as vulnerable (assuming you are using a program like IE that will allow some script to do something malicious).

            The obvious problem is that it's much more common to run Windows as "root" than it is on *nix, for various reasons. Not the least of which is the fact that *nix users usually are smart enough to use one account for administration, and other for doing "user" stuff. Also not the least of which is that many Windows apps aren't written in such a way that it's feasible to run them in non-root mode.

            This isn't to say that Active-X isn't dangerous...it is. But the big difference between *nix and Windows here, is that *nix is run by somewhat security-savvy people, and Windows (often) isn't. With "user-friendly" linuxes coming out, many of which login as root by default, a lot of that protection will go away.

            The average user simply isn't willing to have an "administrator" account that they have to use every time they want to install an app. That fact means that for *nix to go mainstream, a lot of security inherent in *nix philosophy will have to be lost.

            Luckily, mozilla/firefox are being designed in such a way that they are much less likely to exploit lax security than IE is. This will only partially mitigate the problem, though, as people dumb enough to click on a random link and run the program can still get screwed.

            -Dan
            • Ever heard of OS X? (Score:5, Informative)

              by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Monday January 17, 2005 @03:22PM (#11388448) Homepage Journal
              The average user simply isn't willing to have an "administrator" account that they have to use every time they want to install an app.

              My wife isn't terribly computer savvy (at least, she wouldn't be if she weren't married to a CompSci person), but she's perfectly content with Mac OS X asking for her password before updating system software. It's an immediate red flag that something important is about to happen, and I think she'd be extremely hesitant to type it in response to clicking on a link to a web page.

      • by Lumpy ( 12016 )
        he means internet explorer security settings.

        and MOST people run with IE set for trust everything because they have had trouble with the random poorly designed bank site.

        so many people can get hosed easily. that is why we block ALL active X at the firewall. no active X for any reason what-so-ever. and it does not affect our company one tiny bit except keep us a bit cleaner of spyware.
        • and MOST people run with IE set for trust everything because they have had trouble with the random poorly designed bank site.
          ----------
          Bullshit .Most people run it with default settings (which are pretty reasonable) because they do not know how to change them anyway.
      • by mcrbids ( 148650 ) on Monday January 17, 2005 @12:57PM (#11387027) Journal
        any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose. if you set your entire filesystem to 777 then you're completely vulnerable on any unix-based os too.

        Really? So, if I chmod 777 my, uh, /tmp or /mnt/deleteme directory, you can make a web page that will delete it all from within my Firefox browser? On my Fedora Core 3 laptop?

        Are you sure?

        See, to do this, you have to get a script or something to run on my system to delete these locations. Show me where even lowly jscript allows for this...

        Now, I'm no jscript guru, so I did a google search for jscript delete files [netreach.net] and, on at least the first page or two, only came up with stuff having to do with the ".NET framework" or involving ActiveX!

        And the point isn't that files can be deleted, the point is that the API for ActiveX allows somebody to do this remotely.
      • First of all, this is all allowed remotely. Second of all, if you 777 your drive, any major service will refuse to start. Most good and properly coded servers like apache and ssh check their permissions and if something is out of wack, they just won't run. A self-audit helps to prevent against even loose OS security.
        Regards,
        Steve
      • by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Monday January 17, 2005 @03:06PM (#11388306) Homepage Journal
        i mean, any operating system is vulnerable to an exploit if it's security infrastructure is sufficiently loose.

        It's lose, darnit, lose lose LOSE !

        Wait a minute, you actually meant to say "loose", didn't you?

        Between using "lose/loose" correctly and not writing "This begs the questions:", I'm prompted to ask: what are you doing on Slashdot? We don't take decent grammar lightly around here, bucko.

        • He's one of us (Score:3, Informative)

          by sbszine ( 633428 )
          The original poster wrote: if it's security infrastructure is sufficiently loose. I say we ask Taco to unban him in light of this new evidence.
    • by PopeAlien ( 164869 ) on Monday January 17, 2005 @12:46PM (#11386897) Homepage Journal
      - Sco claims ownership of linux source code!
      - Apple has released new products!
      - DVD CSS encryption has been broken!
      - RIAA threatened by P2P networks!
      - Darth Vader is Lukes Father!
      - BSD is dying!

      Its good to keep up to date on all the latest news.
  • Do it (Score:5, Funny)

    by savagedome ( 742194 ) on Monday January 17, 2005 @12:33PM (#11386727)
    I can make an OCX that basically formats your hard drive, stick it on a Web page with a tag, and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page

    Please. DO IT NOW. Thanks.
    • Re:Do it (Score:5, Funny)

      by mordors9 ( 665662 ) on Monday January 17, 2005 @12:39PM (#11386807)
      But does it run on Linux ;-)
    • It is actually so easy there is no cred in writing it, so no hacker has actually done it. You can create it in 5 minutes in VB6.
    • Re:Do it (Score:3, Funny)

      by TWX ( 665546 )

      echo y|format c: /q

      rm -rf /

      It's doable.

      Back in the Windows 95 days when I was fifteen, Best Buy's computer sales department pissed me off so badly at a particular store that I added the format statement to the autoexec.bat files on their demo computers as I browsed around. They installed security software in that particular store after that.

      At some point Microsoft modified format.exe (or was it format.com?) to make it clear the buffer before prompting for yes/no.

  • So... (Score:5, Funny)

    by Aztek ( 260107 ) on Monday January 17, 2005 @12:34PM (#11386732) Homepage
    what rock has he been under all these years?
    • Yeah, it sounds obvious, but I'm sure he's just shocked at how disturbingly easy it is to create malicious code using ActiveX.
  • by kdark1701 ( 791894 ) on Monday January 17, 2005 @12:34PM (#11386733) Homepage
    Well, that would eliminate the problem of people not knowing how to format their hard drive
    • Bonus! (Score:3, Funny)

      by CaptainZapp ( 182233 ) *
      In addition you get a completely secure box and the guarantee that all your spyware and trojans are cleaned.

      Yep, sounds like a great deal.

  • You know... (Score:3, Funny)

    by Eccles ( 932 ) on Monday January 17, 2005 @12:35PM (#11386741) Journal
    I'm not sure I want to follow that link...

  • does he mean... (Score:2, Informative)

    by Sfing_ter ( 99478 )
    Does he mean the settings low enough to actually use it on the internet?

    Why not just create a "zone" hopper, then he doesn't have to worry about your settings. Better yet, just use one of the existing ones.
  • First Post (Score:4, Funny)

    by Anonymous Coward on Monday January 17, 2005 @12:35PM (#11386748)
    Firt po...

    Formatting C: 5% Complete

    • by Macka ( 9388 )

      Whoever mod'd that down to -1 as Offtopic didn't read it properly ... I thought that was quite funny
  • Please (Score:2, Funny)

    by Anonymous Coward
    Can you send a link?
  • by Anonymous Coward on Monday January 17, 2005 @12:36PM (#11386755)
    ...to point out potential issues in .Net. Even MS is no longer pushing ActiveX/COM. They are rewriting that trash out of their architectures as fast as they can. Maybe .Net doesn't come off as bad as COM, so can't be used to ridicule MS.
  • Anyone surprised? (Score:3, Interesting)

    by Penguinoflight ( 517245 ) on Monday January 17, 2005 @12:36PM (#11386756) Journal
    I guess it's surprising brian hook is interested in anything to do with web design, an activex intrest is even more odd.

    ActiveX is an aweful problem, I guess the only reason IE users are as safe as they are is the level of integrity in many website (better than we have thought in the past maybe...)

    Btw, thanks for the FP editors :)
  • iD software fame? (Score:2, Informative)

    by vasqzr ( 619165 )

    I think he's more famous for creating glide when he was at 3DFX
  • by hey ( 83763 )
    So ActiveX is bad? Interesting news!!

    And a posting on Slashdot says a Microsoft thing in bad. Amazing!!!
    • I don't know if ActiveX was bad in and of itself. The problem was in implementing security. Microsoft did a huge blunder, at near the same time that Sun was pondering security and Java applets. But Microsoft was still in that mode that seemed to wrap itself around the company up until a couple of years ago.

      I've set back the security settings on my family's Win2k box, but have to set it lower when I go to do system updates. The problem is that a lot of users, not truly realizing the threat of low settin
  • Oh, no! (Score:5, Funny)

    by Jacco de Leeuw ( 4646 ) on Monday January 17, 2005 @12:37PM (#11386770) Homepage
    ... and if your security settings are set low enough, you'll start formatting your hard drive the minute you visit my Web page.

    I hope virus writers won't find out about this!

  • More Ammo (Score:5, Interesting)

    by TSR Wedge ( 732684 ) <wedge@nosPAM.wedgenet.us> on Monday January 17, 2005 @12:37PM (#11386772) Homepage Journal
    That is, more ammo to use when telling people to get off of MSIE. The prospect of having a webpage completely wipe their hard drives clean is something that should scare even the most lackidaisical of users.
    • by Mysticalfruit ( 533341 ) on Monday January 17, 2005 @12:45PM (#11386877) Homepage Journal
      If your going todo that, you might as well go full monte and create an activeX control that would format the harddrive and install linux... then it would be something useful...
      • "Interesting"? That is one of the worst things that could possibly happen to Linux from a PR point of view. The virus(es?) that attacked SCO were bad enough.
    • lackadaisical Audio pronunciation of "lackadaisical" ( P ) Pronunciation Key (lk-dz-kl)
      adj.

      Lacking spirit, liveliness, or interest; languid: "There'll be no time to correct lackadaisical driving techniques after trouble develops" (William J. Hampton).


      There is irony here, but will leave it to you to discover. (cue smily emoticon)
      • lackadaisical

        for the longest time i pronounced this with an "s" - "lacksadaisical".

        seems like it's at least a marginally popular alternate spelling... google returns around 1,100 for with the "s", though 143,000 without.

        i wonder where the difference originated.

        [ flacco invokes some anti-off-topic spells and shit. ]

  • Crazyness (Score:4, Interesting)

    by bburton ( 778244 ) * on Monday January 17, 2005 @12:37PM (#11386776)
    "First off, by default IE will not allow you to run an unsigned control. A control can be digitally signed, verifying that it came from you, and the signing process is arduous enough that, say, a bored junior high school student won't bother with the process. Unfortunately, anyone with $20 and who DOES care can get signed relatively easily."
    Besides the obviously stupidness inherent with ActiveX and its purpose, this is another really good reason why I refuse to use it. It doesn't have to be a program that formats my hard drive. It can be a piece of spyware, or some annoying ad pop-up that gets installed. There is no good way to implement natively executed ActiveX controls, at least for anything other than a company or website I know in advance that I trust unconditionally.

    I shutter at the thought of running any code that I (or at least someone else) has not inspected. Just another reason to use Firefox [firefox.com] and other opensource [gnu.org] software.

  • by Anonymous Coward on Monday January 17, 2005 @12:37PM (#11386777)
    Setup www.formatmyharddrive.com. Online hard drive formatting, done in minutes, only $5.
  • Vapor design (Score:5, Insightful)

    by Spy der Mann ( 805235 ) <spydermann DOT slashdot AT gmail DOT com> on Monday January 17, 2005 @12:38PM (#11386788) Homepage Journal
    I think this could be considered as a proof of how ActiveX was vapor-designed by Microsoft to compete with original Netscape's plugins.

    1. Examine more or less how competition works
    2. Quick! Make a prototype and flat-out obvious bugs
    (Missing step: redesign well taking into account security considerations)
    3. Overhype
    4. Profit!

    So now we're stuck with an obsolete plugin model, which Microsoft neglects to fix because this would break backwards compatibility.

    THE END.
  • Microsoft makes it pretty clear that arbitrary code can be ran from a web page in the security dialog.

    I thought that aside from the VeriSign problems, it's a pretty good system. It sure is easy for people to use.

    But now, with the various security problems, the only thing I can recommend is giving people instructions to download and install things on their computer. And so that makes it important to have simple installers.

    I'd say that once again, Apple is doing best in this area.

    • Re:Yeah, well... (Score:5, Interesting)

      by 99BottlesOfBeerInMyF ( 813746 ) on Monday January 17, 2005 @01:05PM (#11387119)

      Microsoft makes it pretty clear that arbitrary code can be ran from a web page in the security dialog.

      What is lacking is sandboxing. Here is a typical example. I go to a site to use a service. It has an active X control. I need to use the control, but don't fully trust them. My options are A) find another service, or B) run it and hope for the best. That is unacceptable. There needs to be an option C) run it in a sandbox, and don't let it read my files, or overwrite anything. I mean this is not brain surgery here. Java can do it, and Sun does not have the OS code.

  • Nothing new. (Score:4, Insightful)

    by GeckoX ( 259575 ) on Monday January 17, 2005 @12:43PM (#11386844)
    I'm really finding it hard to give this guy any credibility at all. First off, none of the issues he cites are in any way new, these problems are old hat. But then to get all nit picky about the details of these issues by professing things like 'I don't use ATL, I write my ActiveX in MFC.' Shit, I don't even know where to begin. The guys just now digging into ActiveX and has decided flat out that MFC is the way to do it? Strike 1, and strike 2. Not immediately dropping it and moving on to something more suitable, you're out man.

    I'm dumbfounded by this.

    And editors, you're not helping any by posting stories like this. It's all too obvious that this article was posted because it fits the anti-MS slant quite well. That's all fine and good, but this article brings absolutely NOTHING to the table except another excuse to bash MS and an OLD MS technology.
    • So are you saying the fact that he chooses to write his code in MFC negates the fact that the security on it is horrible?

      More suitable? In the security sense, you mean? In that case, it's Microsoft's fault that he's able to code an ActiveX app in MFC at all! Not his.

      • Sorry if that was less than obvious, but my point being that _what_ you code ActiveX in has no bearing on this whatsoever with regards to the underlying security issues in ActiveX. The fact that Hook chooses to argue the merits of ATL vs MFC, especially on an 'I don't use that one' statement, within the context of the security issue basically proves that he has no business commenting on the subject at all.
    • Yes, this article would have been relevant in 1997 or 1998. Not now.
    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Monday January 17, 2005 @01:02PM (#11387079)
      Comment removed based on user account deletion
    • Re:Nothing new. (Score:5, Insightful)

      by brunogirin ( 783691 ) on Monday January 17, 2005 @02:08PM (#11387752) Homepage
      I think you're missing the context here. First, this is a personal entry on a site that is read by very few users, it wasn't meant to be "news". Second, Brian, who had never done anything with ActiveX, decides to try the technology "on the side". He has heard all the horror stories about ActiveX but actually *using* the technology makes him realise that all the horror is real and, slightly amazed by his discovery, posts on that site. He is just expressing his dismay at the fact that all the horror stories about ActiveX are not myth but reality. Everyone of us does this: experiment to see for oneself and then share one's experiment with others. The findings might be old news for some but are not without interest.

      In practice, I find this article very interesting for what it is: the findings of someone who is a recognised programmer into a field he has no knowledge about; and that prove that all the ghastly rumours about ActiveX are true, not hype. Now whether it should be on /. is another question.

  • by jellomizer ( 103300 ) * on Monday January 17, 2005 @12:43PM (#11386847)
    Active X was never meant to be completely secure. It was designed to be faster and more powerful then Java. And it is that, faster because all the code runs natively with no virtual machine, and more powerful because all those annoying security designed are non existent. That is why it is so widely used. And that is why IE systems are full of spyware, that are spamming everyone! But during this time in the late 90s. IT wasn't thinking of security. And why should they. Hacker only came in on non firewalled systems. Downloading an untrusted active X control is just like downloading any other program be it a trogon or a virus, these usually worst case just messed up your files or in nasty cases put bad sectors on your disk (But I think that is an urban myth, I haven't studied virus that much to know for sure). So that was a user error. And with Windows 95 and 98 as a primary OS they already had access for mess up the drive from the system anyways. So while a lot of people were going THINK OF SECURITY MAN! They just go well it is faster then java plus I easily save files to the disk. I am using this.

    The move to a strong security model just started to really happen by the year 2000 when common people started getting high-speed internet access at less cost then the companies are paying for their T1 lines. Then they started clamoring to make everything secure but because they laid off the bulk of their IT employees they became under manned to fight security. So it is now a long slow process of building up IT security.
    • This is simply not true. Microsoft MUST have known the security implications, and chosen to ignore it. Just as they did a few years earlier, when tying Outlook/IE/Windows together. If nothing else, they should have learnt from that experience.

      I can remember thinking "oh my god, this can never be secure" when hearing about both of these happenings. So it was definitely on peoples horizon, at least on mine, and from somewhere, I must have gotten it :)

      So no, there is no need to excuse Microsoft here. They kn
      • I never said that they didn't know that is was insecure. I think they just didn't care and neither did the customers. Because these wern't major security problems at the time. They could sell more on features then on security at the time.
    • This gets a little circular, doesn't it? From those heady days of the nineties, I remember thinking security plenty of times. I remember plenty of companies thinking security too.

      Just because Microsoft (or rather their corporate strategists) was thinking "leverage OS monopoly into market domination", doesn't justify a cavalier disregard for what was going on around them; just because Windows 98 had security problems doesn't mean security wasn't an issue. This is especially true when copying technology tha
  • Looks like Brian Hook is getting seduced by the dark side of the force.
  • by The_REAL_DZA ( 731082 ) on Monday January 17, 2005 @12:44PM (#11386867)
    even WIDESPREAD coverage that the site is LETHAL to a computer wouldn't keep people from visiting it. When the "I Love You" virus hit a while back, we actually had users open the e-mail "just to make sure" it wasn't really someone sending them a love letter (like they EVER got them before and would SUDDENLY begin to, entirely by coincidence, right then...)

    Like the man said about tsunami alerts in the United States: "There's still a large segment of the population that would go get their kids out of school so they could drive to the beach and watch the big waves..."
  • That's WAY better than the old goatse.cx site!

    NOTE: If you don't know about goatse, don't look it up. It was never funny and it'll turn your stomache.

  • by Spencerian ( 465343 ) on Monday January 17, 2005 @12:46PM (#11386887) Homepage Journal
    If only the media could understand the magnitude of how completely frakked this OS design is in Windows, our government would start using systems less likely to be compromised during hostile acts against the US and its population.

    Not that any OS that doesn't use ActiveX is perfect...nothing is. But allowing the OS to be commanded through something as commonplace as a Web page or email is just ASKING for it.

    "No networked computers on my ship," says Adama in the new Galactica series. That point saves their asses from the other ships of the fleet, whose computers were rooted by the Cylons and quickly destroyed because of over-integration.

    Sure, it's fiction. But fiction has a grain of fact in it to make it real.
    • But fiction has a grain of fact in it to make it real.

      That's the most wonderful sentence I've ever read.

      Fiction ... Fact ... Real ... Fiction is real? ... Fiction is real when it's actually fact? ... Some fact is real? ... Some fiction is fact? ... Tautology? ... Oxymoron? ... Both?

      I think my brain is about to explode.
  • by erroneus ( 253617 )
    ...but it should be repeated until everyone has heard it loud and clear. ActiveX is dangerous.
  • Ah blah.... (Score:2, Interesting)

    by MajorDick ( 735308 )
    "I've been doing some ActiveX coding on the side for a couple days," WOW...HOW EXPERIENCE you are.....oh my

    In a word bullshit..

    Ie done ActiveX programming on and off for 6 years now, and while there are theings to be desired in the model, I can tell you you can create some pretty cool stuff in a short time.
    • Re:Ah blah.... (Score:3, Informative)

      by Trigun ( 685027 )
      ...I can tell you you can create some pretty cool stuff in a short time.

      Like a webpage that formats your hard drive!
  • by nels_tomlinson ( 106413 ) on Monday January 17, 2005 @12:51PM (#11386948) Homepage
    But that's double-plus-ungood-unpossible! Ballmer said [eweek.com] that Security is Microsoft's Top Priority [computerworld.com].

    He'd never lie to us, would he?

  • You would think that with all of these grievences and new patches turning off Active X by default that this should start the death of Active X all together.

    Why is it still being used? what are the other choices?
  • Was a nice little summary about why ActiveX sucks, but the post is more than a year old. Either the submitter just discovered the Internet, or this is troll feeding right on the front page.

    This is "news for nerds"?
  • You don't need Active X to format a hard drive. An application called JennyTheSlutwhore.exe can do just as much damaged downloaded from a website or recieved in an e-mail. There's absolutly no difference. If a user is dumb enough to disable security then f em.
  • ActiveX has been this way from the beginning. ActiveX applets can be entire programs, just ones that run inside your browser or another container. The only limitations are the security settings of the containing program.

    That being said, with a trusted ActiveX app you can do a lot with the OS. The problem is that most users are too trusting (or their browsers are, if the security settings are too low).
  • ActiveX shows Microsoft's commitment to the developer experience. Just think how hard it would be to write a webpage which makes firefox or any other browser format the user's harddrive.
  • Much more subtle, and IMHO more sinister attack is not to format the hard drive but to read from it. Nobody knows when read attacks occur, and it will take a while for word to get around. Also, read attacks are much more useful if you want to attack a certian person/group of people(IE you aren't a script kiddie in for the cheap thrill).
    Which is more damaging, deleting the email of a person cheating on their spouse, or forwarding it to the spouse?
  • by Billly Gates ( 198444 ) on Monday January 17, 2005 @02:28PM (#11387919) Journal
    For those old enough to remember Windows95 and Windows3.1, activeX was called "ole" short for Object Linking and Embedding.

    It was used in VB to drag and drop controls and parts of applications. Thats it.

    For example you could slap together an app that uses Excel by using the ole (activeX) control from the program and putting it on the form.

    Anyway its powerfull and security is not an issue since it was designed to be used in internal apps at compile time by VB and VC developers.

    MS was panicked by netscape plugins wbecause ms didn't control it. What MS should have done was base ActiveX on ole, take out some features and add security oriented ones in return. Instead they gave out the ole controls with a dumb hackable trust based pop-up as a bandaid solution for the security.

  • Old News (Score:3, Informative)

    by rlp ( 11898 ) on Monday January 17, 2005 @03:03PM (#11388261)
    When ActiveX was first announced in the 90's people complained about it's lack of security model. ActiveX was MS's answer to Java applets. Problem was that Java was built from the ground up with security in mind. The security model runs applets in a constrained (sandbox) environment to eliminate the threat of malware. ActiveX initially had no security model. Early on, when complaints were voiced MS added code-signing putting the onus on users to distinguish between legitimate code and malware.

    Over the years, the view of the critics have proved accurate. Java applets have had a few security problems - usually related to buffer overflows in the VM. ActiveX has been and continues to be a security disaster.

Technology is dominated by those who manage what they do not understand.

Working...