On Mon, 20 May 2013 22:00:39 -0700, Nick Sabalausky
<seewebsitetocontac...@semitwist.com> wrote:
On Mon, 20 May 2013 19:48:00 -0700
"Adam Wilson" <flybo...@gmail.com> wrote:
On Mon, 20 May 2013 17:04:40 -0700, Nick Sabalausky
<seewebsitetocontac...@semitwist.com> wrote:
> On Mon, 20 May 2013 15:50:06 -0700
> "Adam Wilson" <flybo...@gmail.com> wrote:
>>
>> What if as a UI designer I know that I want to specifically
>> disallow skinning? It's not even that hard of a decision to reach.
>> If the skinning changes the layout metrics at all (margin,
>> padding, size, even shape), my app can end up looking terrible and
>> I have to take a support call for a case that I couldn't have
>> possibly dreamed up.
>>
>
> Basing software decisions upon worries of "What if some user shoots
> himself and calls our support?" is *always* a bad idea.
>
Is it though? Because regardless of whether or not they should call
me, they will, and I will have to spend money to deal with it. Again,
I have real problems that are clashing with ideology. When that
happens the engineer in me demands that I address the real problems.
No, you most certainly do *not* have real problems clashing with
ideology:
What you have is a contrived "what if" scenario that you think is a
"real" threat to your business despite the fact that you yourself are
convinced that hardly anyone is going to be messing with their settings
anyway.
Then you're running around crying "It's ideology versus successful
business! I'd better disregard my user's settings or else the sky will
fall!" Yea, I'm exaggerating, but your whole argument here is clearly
exaggerated bullshit.
And if you're really *are* that worried about enough "coffee mug in the
CD tray"-mentality users changing their system settings and then calling
you about that, enough that it would pull you under, then you can just
*not* invent a new UI styling to force on them in the first place. Big
freaking deal. Like you said, most of them don't care anyway, right?
I didn't think we were talking about styling but about cross-process UI
manipulation, styling isn't a security threat as you've correctly pointed
out, but allowing other processes to manipulate a UI, is, otherwise all
new native UI toolkit's allow it. Last I checked none of the mobile OS's
do. WinRT on Win8 does not either. I'd say the trend is away from
cross-process UI manipulation, not towards
Why? The user mostly doesn't care as long as it works and solves
their problem, I personally spend less and less time customizing my
environments for two-fold reasons, I have an every growing number of
them, and I care less and less, just get out of my way and let me
work. Don't make me decide on a hundred details before I can get
started.
Ok. So then why in the world are you wasting *your* time inventing new
UI styles for your software if so few of your users care?
>
> Secondly, we're not babysitters or self-appointed police here. To
> engage in such a level of control is *already* a very serious breach
> of our moral obligations.
>
>
In the real world, yes, we are. You see, it's a small inconvenience
known as the lawsuit. Specifically that I am legally liable for any
and all security vulnerabilities within my product. There is
case-history going back to support this since the dawn of legal
systems. It is ironclad, ideology will not change it. I consider
cross-process of a UI a MAJOR security problem because it allows
malicious software to modified my software in subtle ways that
compromise the security of the system. And apparently I am not the
only one who thinks this way because every mobile OS available today
does not allow ANY kind of cross-process UI manipulation of any kind,
going so far as to sandbox each app.
I think we're getting offtopic here. If we're associating
"legally-accountable security negligence" together with "using native UI
toolkits", then clearly we've already taken a nose-dive off the deep
end.
Where is your outrage over
Android or iOS or WinRT or Blackberry or Symbian?
Heh. If you think I *don't* have a deep seething hatred for Android, iOS
and WinRT, on both practical and ethical grounds, then you're very much
mistaken ;)
I don't always agree with Stallman, but one thing I did always agree
completely with him on is how Steve Job's last decade of work was
"the computer as a jail made cool, designed to sever fools from their
freedom". Stallman didn't change my mind with that, but he did word it
far better than I ever could have.
>
> Just for example, Spy++ or any similar such developer tool. Or GUI
> macros. Those are just off the top of my head. I'm sure people can,
> and have, thought of any number of other different uses.
>
GUI macros work on WPF apps.
Does the same macro utility system also work across WPF, GTK, Qt,
Delphi apps, whatever the fuck Nero, Winamp or Windows iTunes use,
*and* Joe Schmo's Yet Another NIH-Fueled OpenGL-based Toolkit?
Snoop does what Spy++ does.
Same question as above.
Have you ever built any software where you are legally liable for
any security holes your software opens up? My guess is no. Because if
you had, you'd get where I am coming from.
Let's not dive into ad-hominem time-wasting here. I'm not going to get
into what really amounts to an "I'm more l33t than you" contest under
the false pretense that the answer has any bearing whatsoever on the
topic at hand.
I wasn't intended on starting a pissing contest, I was merely pointing out
a legitimate concern. It may be ad hominem and for that I do apologize.
Ideology is fine, right up until you have to meet the real world. Do
you honestly expect your users to each become security experts? Such
a thought is laughable on the face of it. They have neither the time
nor the interest, and nor should they, it is not a productive use of
their time. This is why the law makes it MY fault for security flaws,
because there is not, and can be no, reasonable expectation that they
are security experts, that's MY job.
Again, you're taking one thing here and then contorting it into a
mutant, paranoid strawman with only a vague connection to the real
discussion:
1. The ideology of *allowing* the users who *want* control over their
own computer to *have* control over their own computer is *not* in
conflict with "the real world". That's downright crazed paranoia. It's
not going to drown your company in support costs. It's not going to get
you thrown in jail for negligent security. It's not going to eat your
children and destroy family values and make the sky fall. Take a step
back and look at this with some perspective.
2. If this stuff we're talking about constitutes such major security
negligence, then so does damn near every other thing computers ever do.
Almost anything useful that programmers use is every bit as
much exploitable. "Hackers can use functions to help create their
exploits?! Holy hell! We must stop this evil 'function' thing since,
after all, legitimate software can just use GOTO!" Or: "Your address
book software lets me put in all that sensitive info?! How dare you!
That means anyone who grabs my phone while I have it unlocked has easy
access to it! I'll sue you!" For fuck's sake, everything useful is
exploitable. Let's go back to our caves. (Oh shit! Rocks!)
3. Where in the would did you pull this "expect your users to each
become security experts" crap from in the first place? That came
completely out of nowhere.
Ergo, allowing cross-process UI manipulation is inherently wrong,
it's also legally and ethically wrong. Putting my users at risk in
the name of ideology is so wrong that I am dry heaving at the
thought.
Better make sure the cops never find out if you've used Snoop or GUI
macros. Or Tcl Expect. Or a debugger. Or stdin/stdout. Or...
Incidentally, this is why no mobile OS ever allows it, it's
WAY to legally risky. Not even Google can make that lawsuit go away.
I'm seeing an unsubstantiated claim here.
Nick, I hate to break it to you, but you are so far out on the
extreme end of the scale on this one that it will be impossible to
advance technology and keep you happy,
As opposed to being so far out in paranoia that it'll be impossible
for you to use or create technology at all and still feel safe and
secure from lawsuits, support call stampedes, black hats...You really
are a nut here.
so I'll have to leave you
behind, because the 99% want there software to just work, and could
care less how it does it. I don't like leaving people behind and
pissing them off, but I have to go where the majority goes,
Ok, I understood. Ideals result in lawsuit, and so does failing to
chase trends. Ok, gotcha. Back to your padded room...Don't forget your
tinfoil hat over there...
otherwise
I'm just a penniless artist with a rigid ideology and no friends.
You just can't help using all these slipperly slope arguments, can
you? Besides, I'm guessing that paranoia doesn't help win friends and
money either.
--
Adam Wilson
IRC: LightBender
Project Coordinator
The Horizon Project
http://www.thehorizonproject.org/
