From the makers of Outlook, IE and Active-X : Terrarium
From: David Mohring (heretic@heretic.ihug.co.nz)Date: 02/07/02
- Next message: Doc Wally: "NT Sound Recording Fails"
- Previous message: Dustin: "Re: Dumb Win2k network question - remote trafic "viewer""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: heretic@heretic.ihug.co.nz (David Mohring) Date: Thu, 7 Feb 2002 12:21:22 +0000 (UTC)
If ever you needed proof that Microsoft hasn't a clue in terms of
systems security, you need look no further than their lastest
DOT NET "training tool" - Terrarium.
Quoteing the recent .NET show
http://msdn.microsoft.com/theshow/
+Terrarium is a multiplayer ecosystem game developed using the .NET
+Framework. Developers can create their own creatures and add them into the
+game on their own client machine. Teleporters on each client transfer the
+creatures between clients in the Terrarium peer-to-peer (P2P) network.
+Through the experience of programming these "creatures," the participating
+developers gain familiarity with the new development models presented in
+.NET, and how to construct code using Visual Studio .NET.
I saw a demonstration of Terrarium last year. With limited
distribution as a demonstration and testing tool for the sandboxing
in DOT NET it was a very good idea. But as what seems to happen with
all such good ideas at Microsoft, the Marketing section get hold
of it an say "This is a great feature to sell DOT NET to the
developers". So it gets released to the general public ( or at
least those willing to have or forge a Microsoft passport ).
And so ...
"Microsoft game is a code-eating battle"
http://zdnet.com.com/2100-1104-830680.html
Which includes the unforgettable phrase "Terrarium is not a virus,
says Microsoft".
Here is a google page to Microsoft's gotdotnet site, which includes
cached versions of the following pages.
http://www.google.com/search?q=+site:www.gotdotnet.com+Terrarium
The FAQ makes interesting reading.
http://www.gotdotnet.com/terrarium/docs/initialsetup/faq.aspx
What raised the hairs on the back of my neck was the was the italicized
statement of the install page.
http://www.gotdotnet.com/terrarium/download/
+Install Terrarium
+
+Note You must be a local administrator or power user on the computer to
+install and run the Terrarium.
^^^^^^^^^^^^^^^^^
I can understand the need to install as local administrator or power user,
but why has Microsoft completely failed to learn by now that it is not a
good idea to run such a service under Local-system or administrator
privileges.
See Apache Vs IIS
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2792860,00.html
And the views of
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2809071,00.html
Microsoft recent history of providing "sandboxed" enviroments is abismal
and even the best professional programmers cannot guarantee that such
a complex system as the DOT NET common runtime environment will be
vulnerability free.
IMO it is only a matter of time before either the code in one of the
"critters" manages to "break the glass" and escape into the system or a
flaw is discovered in the peer to peer server vulnerable to true worm
infestation. At least if the service/application is running with normal
user privilege it would somewhat limit the damage the script could do.
If the management at Microsoft choose to go ahead and relase Terrarium
in a form that requires it run with such high privileges, or worse
still consider running such an application on Win9x/ME, then it shows
that the recent statements about Microsoft's recent converion
over the concerns about security issues in its products is nothing
but pure marketing bull____.
David Mohring - "Dot NET, Got Root, Not NET, Bit Rot"
- Next message: Doc Wally: "NT Sound Recording Fails"
- Previous message: Dustin: "Re: Dumb Win2k network question - remote trafic "viewer""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
