Hi Cedric,
<troll nature="warning"type="grumble" msg="you have been warned">
On 9/8/2010 3:29 PM, Cedric Vivier wrote:
> I would think the opposite. "Desktop Linux" has never been so relevant
> and will only be more and more relevant in the future as a consequence
> of the "browser as platform" paradigm.
> IMHO "desktop Linux" has never been so relevant than today because I
> believe we have reached a point where major distributions like Ubuntu
> or Fedora work recognize and work reasonably well with most recent
> hardware out-of-the-box (suspend, 3G modems, webcams, battery usage).
> Admittedly this doesn't reflect in "market share" (this is not a free
> market anyways, thanks OEMs), more on that later, however if by
> relevance we are talking about user experience, I've seen that it
> works quite well now for users with basic needs centered about the web
> (browsing, email, social networks, playing music).
> In the coming months/years, with the rise of new browser-based
> technologies (WebSockets, WebGL, File API, Audio API, Device Access
> API, offline storage, and last but not least NativeClient), we'll use
> web applications for things that were only possible on the desktop
> before (eg. Google Earth, hardware-accelerated 3D games, sound
> trackers, ...) effectively serving users with more and more advanced
> and diverse needs.
> These applications will run equally well on any Linux desktop as they
> do on OSX or Windows, without requiring any additional work from
> application developers.
> This is huge, as this makes the leader platforms (Windows and OSX)
> lose their installed base advantage in the long run, the very
> advantage that makes one platform worth to develop for or not for
> commercial developers (big or small).
> This makes desktop Linux more and more relevant as the platforms will
> therefore be able to compete mostly on their intrinsic worth (user
> experience, performance, security) rather than competing on the set of
> applications available, effectively locking users to one platform (e.g
> no more "I can't use Linux because I need FOO app!").
> However I do not believe the _growth_ of "desktop Linux" will come
> from the traditional distros we are using today, these will probably
> stay "niche" OS mostly used to developers and software enthusiasts
> (read geeks;).
> On the other hand I'm confident that "desktop Linux" will grow thanks
> to new distros that break the antiquated desktop metaphor to better
> match today's usages on a variety of devices, desktops/laptops
> included : Chrome OS, Meego, Jollicloud and new distros that will give
> their own specialized take on "the web as a platform".
> Desktop-metaphor-from-the-70s Linux is dead! Long live
> Web-as-a-desktop Linux!
> Regards,
I completely agree with all the above. definitely.
But when I read the long list of new web feature (websocket,etc..etc..)
I can't help but smile:
java platform (with or without CORBA) was promising the same 15 years
ago! And they delivered even then. But nobody every really used it:
1- it was too slow to just _start_ java. (after which it is quick, since
most libs are native anyway nowadays, using JNI to bind to system libs
[swing,3d,etc..])
2- it was more difficult to write apps. (but hey, java had a profiler
and a debugger for ages, contrarily to the late comers one on JavaScript)
3- Java applets / applications were supposed to look the same
everywhere, but they didn't. At least not then.
4- MS never supported it and MS back then were kings. They shot Java.
They even shot CORBA by created a watered down version of it: COM+!
I think that's the number 1 reason why it died on the browser and on
the desktop.
5- Sun never supported it enough on the desktop as they were too busy
selling it on the server side.
6- Corba had a big learning curve. Similarly to its crappy watered MS
version COM+
BTW, Java and CORBA were almost always working fine on Linux / Win /
Solaris.
Java applets for one had a pretty nifty sandbox from day one. OK it was
broken 2-3 times already but that's still
better than the browsers themselves.
But whatever "WebSockets, WebGL, File API, Audio API, Device Access API,
offline storage, and last but not least NativeClient" can propose
could be achieved 8 years ago with Java. In a portable manner. All that
was necessary was to modify the 100% java implementation of swing, etc,
to a JNI based (like it is now on Linux / Mac / Windows) library that
uses the native OS widgets, and I believe they did this in 2003 or 2004..
I work with web protocols every day to perform application pen-tests and
the like and it's tiring to see the same flaws for the last 10 years or so.
Simply because HTTP was never meant as a communication protocol.
- It has no session (session cookie are hacks, that happen to work, when
implemented properly)
- it has no state (you can call page2 before page1 if you want, it's up
to the app to enforce)
Don't even get me started with the CGI way of passing parameters, or the
different encodings etc.. that they use.
It just wasn't designed to implement applications. The source of 99% of
the flaws is "input validation" or parameter
validation if you prefer. Most developers forget that an attacker can
modify the complete request to just input anything,
and as such the pain of double verification has to be done on the server
side. Most of them know about that now,
but it doesn't stop them from forgetting a few parameters in the
thousands that they pass in the entire app.
Only now web is able to more or less work the way it is. But that's just
because they added 10 layers of hack above it.
JavaScript / JSON-RPC / flex / XML-RPC and all the JS libraries.
And the fact that they are finalizing on websockets etc.. is just
another proof of that. It's like an additional ugly patch.
And what about the myriad of broken application framework out there?
Almost none of them support everything we want.
Just to tell you how backward the web is sometimes just look at the big
vendors: they are still using a half duplex protocol
to serve files! ==> FTP! You'd have thought that this kind of protocol
would have become obsolete as soon as socket became
full duplex. But nooooo. Let's keep that crap they said!
Other horribly broken protocols include IP, TCP (yup, the very
foundation!), SNMP until v3 that nobody uses anyway (aka "Security Not
My Problem),
SMTP (spam anyone?), NFS until v4 that nobody uses anyway, DNS until
DNS-SEC and even this one has flaws, most of the routing protocols,
SOAP (is this _really_ lightweight? _reeeaaaly_?), XML-RPC (XML ->
enough said), XPath (probably the worse of the lot), WEP,
the list goes on and on..
Don't get me wrong, I'm not a grandfather, and I use all the above...
because I have no choice. But I'll tell you it's always my pleasure
to break web apps because there are always so many bugs, and frankly I
stopped blaming the web developers 3 years ago :-)
Penetration tests are equally fun of course :-) :-)
</troll>
Hope this will be an eye opener, although I'm sure it will not deter any
of us from using these technologies again because there
is no choice :)
Take care,
Fabrice.
--
Fabrice A. Marie
FMA Risk Management Solutions
http://www.fma-rms.com/
_______________________________________________
LUGS Mailing list - [email protected]
List FAQ: http://wiki.lugs.org.sg/LugsMailingListFaq
Info page: http://www.lugs.org.sg/mailman/listinfo/slugnet
To unsubscribe send an empty email to: [email protected]
