best language for 3D manipulation over web ?
Attila Feher
Attila.Feher at lmf.ericsson.se
Wed Jun 6 05:53:11 EDT 2001
TGOS wrote:
[SNIP]
> I can't tell which SPs were applied and which ones not.
> It was not even a program of a cracker page, I got it from the webpage of a
> computer magazine. That was still some time ago, so maybe the SP was too new at
> that time and they had no time to apply it. But I can't remember that such a
> big security hole ever existed for any known UNIX system.
Actually there was a week when many (10+) Linuces has been cracked and
defaced in Hungary - due to a security hole like this. Of course, one
_can_ install (as far as I remember) eg: NT w/o DirectX... Maybe I am
wrong.
> But I'm afraid I'm talking about apples here and you about pears. Let's define
> what is meant by "OS".
>
> For me an OS is just the basic system, all that is needed to get the system run
> and no all that might be installed on a system.
Let's pray to god that someone at MS.commmmmmercial will understand this...
> So when I say UNIX is more secure than Windows, I mean UNIX itself, which is
> the kernel, hardware driver, software drivers (like file systems) and the
> programs that are absolutely necessary.
And what can you do with it? :-))) Having a UNIX usually means to
people: sendmail, awk, egrep, cat, etc. etc. many-many little utilities:
which are great and which make UNIX tick...
> When installing a UNIX system that shall be secure, you should disable
> everything during installation that can be disabled (including server software,
> XServer, etc.). A XServer for example is such a big security hole, that you can
> push a whole elephant through it and nobody would recognize it ^_^
Uhhhh. This I did not know. Why is it so?
> And exactly that's the problem. Even when you disable everything possible
> during Windows installation, you are still forced to install way too many
> stuff. Can you install WinNT without GUI? Since every GUI might be a security
> hole and every GUI wastes hardware resources (especially on servers that don't
> even have a monitor).
Actuall Win31/311 Win95/8/me can be installed w/o GUI... I mean not
connected to the NET, install and then do some hack and U can remove the
whole GUI. Of course: good luck with it, since every admin tool is GUI
based :-)))))
> I bet the standard settings of Win2000 installs DirectX as well and I was once
> told (from a usually very reliable source) that DirectX is allowed to
> circumvent many Win2000 security features to achieve higher speed.
I guess you can ask it not to install it... I hope :-)))
> Isn't the InternetExplorer integrated into Win2000's system? And certainly also
> into WinXP. The InternetExplorer is full of security bugs and when it supports
> something like VBS, goodbye system. No browser is integrated into UNIX systems,
> every GUI is optional.
Don't even mention it. When I install a Windows there are certain steps
I make immediately, like enabling of all extensions, showing hidden
files etc. Just to make sure nothing is hidden from me and nothing is
done automatically, w/o asking me (like autorun...)
> Only looking at those facts, it should be clear that Windows is less secure.
I am not talking about a default install. I guess the default install
for a RedHat has it own nice things, too.
> And you must be careful when speaking about UNIX security holes. One of the
> biggest security holes of all times was (or maybe still is) SENDMAIL. It needs
> root rights to run correctly and that is a danger. You can intentionally crash
> it (e.g. provoking a stack overflow and that way executing own code) and such a
> crash can result in a new shell with root rights. That was one of the easier
> ways to get root rights and immediately everyone said:
> "Look, UNIX isn't secure at all!"
How can U get a root shell when you crash sth? (I am not a cracker). I
mean shouldn't the kernel/shell/whatever realize that the setuid stuff
is out and simply return back? Isn't it so that the shell start up and
it exec-s the setuid stuff, so there is no shell at all with root
effective user? Sorry if I am too dumb :-)
> But those people seem to overlook that SENDMAIL is a program, not part of the
> kernel and not part of the UNIX OS. For this security hole are only programmers
> of SENDMAIL responsible, not the UNIX programmers. Despite the fact that I've
> seen alternatives to the standard SENDMAIL, I'm currently running a LINUX
> system without any SENDMAIL application at all. (That way programs can't send
> me notifications via mail, but I don't really care)
OK, but we all know that a UNIX system _does_ include sendmail and all
the other stuff in people's mind. I mean having a web server which
cannot notify me of events (alarms) is not that good. :-(
> Looking at a full featured UNIX system, it's of course not more secure than a
> Windows system. I'm only comparing two base systems where no third party
> software is installed and there, UNIX *is* more secure than Windows.
OK, it is. :-))) Exclude RedHat? :-))
> I don't know, but I think most people aren't interested into cracking an
> university server. I personally only try to get root access for the fun of it
> (I wouldn't even know what do with it).
They do it just for fun, and to test their limits. There is nothing on
that server.
> BTW, looks like today is a "happy day" for you.
> ( Lot's of ":-)))")
Yep, I "signal" you that I am not trying to argue, but discuss. As far
as I see we 99% agree and the rest 1% we did not talk about. Wrap up:
there is _no_ world domination of Windows (THX GOD!) and no such thing
for unices either. If your resources let you, you must seriously
consider releasing a multiplatform product. If your target is the Web,
you MUST find the resources for it. (MUST is the same here as in an RFC
:-))) Or you shall work for MS :-)))
> > Same with NT. I have seen NT setup taking few thousand steps to make
> > and which was solid as a rock.
>
> See above, there are too many things you can't remove/exclude of a Windows
> installation that provide security holes. You simply can't remove things that
> are a permanent part of the system and when you compare Windows to UNIX under
> this point of view, a LINUX system can be tiny enough to fit onto a single
> floppy disc, a UNIX distribution might as well (when you have 2.88 MB
> floppies)...how about WinNT?
If you have enough floppies :-))) Actually the WinNT base system is
also small. The problem is: it is closed (you cannot say that my UI is
now not GDI(32?) but WGS (made up: White's Graphic System, Feher=White)
etc. Also the whole stuff for use (admin tools etc.) is GUI only. In
NT4 the only one which is not GUI is the one (route table whatever)
which cries out to be at least SAA on CUI or something, because it is
pain in the ass to use it from command line.
> So I guess now you understand my point of view and on what base I'm arguing
> when claiming that UNIX is more secure than Windows.
Yep.
> > So the primary decision is: is my target group UNIX or Windows or both.
>
> If you get a UNIX version, you can also make it run on Linux.
> And the main difference between UNIX and Windows are the APIs. But for whatever
> you have an API call at UNIX, there's also an API call in Windows.
Sure.
> I personally like the system of "wrappers". You neither use UNIX or Windows
> APIs directly. You create your own wrapper API, that in once case is wrapped
> around the UNIX/Linux APIs and once around the Windows APIs.
Yep. But let's say I want to make a non-open-source stuff. Wrappers
are either GNU licenced or damn expensive to buy/make... However
careful C++ (OO) design _can_ provide an initial abstraction layer below
which one can later change the logic to use a wrapper - when he had
enough sales: whether or not the sales are UNIX or Windows. I am
talkign here about a non-Web based game for example. Once one
identified the basic building objects, and designed their interface...
who cares later if MessagingSocket uses BSD or Winsock to implement its
operations?
> That means you don't have to rewrite a single line of C++ code of your
> application, you must create wrapper APIs for every system you like to support.
Yes, I like the idea, I even wanted to start a portable UML design tool
project of mine (of course first some trial'n'error) based on this
idea... but I gave up until now: no time and waaay too many questions.
(Eg: creation of a portable icon format - probably as a sort of portable
metafile. Now I have to do a serious internet search to find if one
already does exist, so I don't reinvent the wheel and create a
propriatery solution...)
[SNIP]
> > Than you must have a real good luck. I use Solaris here and I know what
> > I am talking about :-))) Reboot is once per day on a test machine where
> > "badly behaving" SW can run.
>
> Poor configuration?
> Our Solaris machines are UltraSparcs, probably configured by a Sun employee.
I doubt it. NIS going down, development SW running there... Anyways
some patches had to be applied for my WS behaves very nicely nowadays.
It is only the ancient X which sometimes decides to give up.
> > I have no problem with the security manager, I have problem with the
> > Java VM code. It isn't "old enough" and mostly not open source to
> > convince a security-fanatic.
>
> Windows as a whole ins't open source, nevertheless you trust in its security,
> don't you? ^_-
> Despite that, some parts are open source.
Yep. And it does has a Java VM(?) installed with IE... :-)))) That's
why you need to know a lot to make the secure install.
> > That is right. And I would say also that no shit-had programmer should
> > be forced to write cross platform code if he cannot.
>
> Can not or doesn't want to?
Cannot. No money, no time, no experienced designers. Don't want... I
mean it is not the designer/developer/system architects job to have a
whish list - it's the customer's :-)))
[SNIP]
> The GUI is actually the easiest part.
> There's a GDI wrapper for XServer systems (providing full featured Windows GDI
> support for XServer) and there are a XServer wrapper for Windows GDI. I would
> rather be worried about processor specific optimizing done in assembler that
> you can't port without rewriting them.
Anyone making assembly optimizations should be aware of that he creates
_highly_ nonportable code. If one goes with C++ (and C) it is many
times unnecessary, even evil. A well written C/C++ code will provide
the same ASM stuff. And if one has to talk to a HW device or whatever -
on UNIX there are the /dev files, on WinX you have other ways... but
anyways that will be just another "wrapper" or "driver", which is of
course system/platform dependent. One has to be very-very convincing in
a project (part) I am involved in to be allowed to use ASM...
> > The only "good" point which I like in Win and _very_much_ miss in Unix is
> > the messaging opportunity. Unix has few signals, and that's it. Sad.
>
> And that's good!
> More message increase security holes and system compressibility.
Why does it increase security that everyone in need of a protocol should
go for streams, (sockets) make its own protocol stack (and at that point
probably make serious mistakes in something which might run with
"higher" right than the user has) and so on... No scheduler, no
callback point or event loop... Not every program is 2 letters command
line tool :-((( And once you need something seriously event driven you
end up buying ACE for a lot of money or get 5 people to write a
framework. :-(((
> > :-)))) So Solaris 7 is apparently not UNIX. :-)) It does not crash
> > usually, simply stops working.
>
> Solaris is not the prototype of UNIX, it's just the UNIX of Sun.
> Can you still login via SSH when your Solaris 7 systems hangs?
When the X goes home, yes. I did not try the other one though, which
crashes a lot.
> > Yep, Windows, it's registry,
>
> Don't mention it's registry, it's hell.
Nope. Hell is good for something: you can frighten bad people with it.
The concept of the common Windows registry is plain evil.
> Every application (including those provided with Windows) support 30% of hidden
> features that you can only enable with registry tweaks. No matter what you do,
> the registry keeps on growing bigger and bigger, it's full of unecessary
> entries and not very well organized.
And once it crashes you have to reinstall _everything_, probably
including nice data loss...
> Despite that, I don't think it's a good idea to make a central registry for all
> applications and users. Every user should have his/her own registry (and not
> just a sub-tree) and only Windows should be allowed to use it (third party
> software shall store their configuration somewhere else).
TOTALLY agreed. This was the WORSE thing MS could make. Not to mention
their "fantastic" idea of installing everything under c:\windows (like
app DLLs), installing every user prog under program files, _and_ give
them this as working dir... Some C++ wanted me to start my projects in
c:\program file\whatever\whatever\projects... Oh my god! And this is
based on MS recommendations...
> > it's changing (screwed up) APIs,
>
> Is there actually a list of all APIs that are included with Windows (or
> multiple list for different versions), as well as an explanation what functions
> are actually inside those APIs?
Yep and no. There is MSDN, there is Win32, which is a platform with its
APIs, Win16, WinSock (1.1, 2.0), Telephony, IE etc. Millions of APIs.
One API for network drivers, one API for mailing (MAPI, I wonder if it
still exists or renamed), than the OLE, ActiveX stuff etc. Windows has
one bad thing: it is waaay too difficult and complex. Win16 messages
and services one could keep in my - and it was organized. But nowadays
with the new APIs, abandoned but kept-for-compatibility APIs, GUI only
APIs, "copied" (I am trying to get not sued here :-) and changed APIs
(WinSock) etc. There are too many. Of coursem you can learn them and I
am sure that the MSDN is better for learning than the man pages... but
still.
[SNIP]
> If you don't start with a cross-platform solution, it will get harder and
> harder in the future to change that. An internet dialer is a very specific
> piece of SW, that can't be cross-platform.
Not necessarily. If the original OO design is good, there _are_
abstraction layers and you don't depend on _anything_ but the
("implementable", or possible to port) functionality/interface of the
abstraction layer (which is not necessarily a platform abstaction layer)
later you can easily add the other layer below it.
> But office software, browsers, multimedia players, multimedia editors,
> rendering software, programming IDEs, Usenet clients, e-mail clients, database
> software, compilers, interpreters, file managers, picture editors, sound
> editors, music composers, Internet clients, encryption software, compressors,
> etc.
Yep :-)))
> > Max. size still working (talking about normal WS) Java
> > applet was around 70K. Then performance degraded so much, that is was
> > useless.
>
> The Java2D demo of sun is larger than 70 KB and not useless.
> And it's offering a lot more than you would need for a standard GUI.
OK. Will check it out.
> http://java.sun.com/products/java-media/2D/samples/java2demo/Java2Demo.html
> (You'll need a browser with Java 1.3 support, maybe it will also run on 1.2.
> So for most browsers you'll have to install a the Sun JRE)
Mine tells it has Java 2 - I suppose this is 1.3...
> To compare with native methods in speed, set to "0 ms" and turn of
> "Anti-Aliasing" (as your native system doesn't support that).
> Also the sound abilities are pretty impressive (the techno tune is very good).
>
> Do you know their PostScript viewer?
> http://java.sun.com/products/java-media/2D/samples/postscript/PostscriptViewer.html
Nope, will check it out.
> For your GUI, look at the swing demo. Since Swing is 100% pure Java (it runs
> without any native support), you can also load the Swing classes on Java
> versions below 1.2
>
> http://192.9.48.9/products/plugin/1.2.2/demos/jfc/SwingSet/SwingSetApplet2.html
> (don't forget to switch "skins" on the fly)
THX!
> > BTW I wanted to use Java, I have even installed it. But with my 64M
> > PII266 notebook it took 3 minutes to open a source file in the
> > Forte... Thx.
>
> Forte?
> Nah, I don't use Forte, I use JBuilder.
Can one get one to learn for free?
> [ QT ]
>
> > Tried. They don't have an unlimited trial version for Win and I have no
> > way now to install a Linux at home. :-(((
>
> Play around with it using Linux.
> If you release commercial software, you certain can apply a full version.
No Linux at home :-((( Desktop is too old, notebook is too notebook :-(((
gcc is too not standard STL :-((
[SNIP]
> Well, of course you must handle those, that's part of being a Java programmer.
:-))) I guess nowadays some "Java programmer" may not even fit to the
programmer category. They do guesswork... Like those Clipper
programmers who gave a bad name for Clipper years ago.
[SNIP]
> Must have something to do with being a communistic country.
Or simply knowing them? :-))))
> > Windows NT is not limited to x86...
>
> x86 and Alpha, but software must get recompiled to run on Alpha PCs.
Yep. But as far as I know this is only different with Java and only if
one did not make it machine code...
> You can't really filter the web. You can try, but it will never be really
> effective.
Simple. One allows only few addresses/IPs to be reached :-))) Opposite
filtering :-)))
[SNIP]
> IBM is also writing JVMs and there machines are usually a lot better than the
> ones of Sun.
>
> Despite that Java is already a standard language. I'm studying computer science
> and we don't learn C++, we only learn Java and all programming we perform is
> done in Java.
>
> We've been told: "we expect you to learn the basics of C++ programming yourself
> and before you will leave this institution, we assume that you've seen more
> than thousand lines of C++ source code, but we will not teach it or use it for
> projects."
Sad.
[SNIP]
> Currently 256 MB.
[SNIP]
> AMD Athlon 1 GHz.
Ah yeah. PII-266/64MB :-((( Desktop is P-166 (YES, really) with 80MB.
> But I already were developing in Java on my old PC, Pentium2 350 MHz, 128 MB
> RAM. And I can still run Java applications there, both under Windows and Linux,
> with acceptable speed.
Hm. RAM will be the issue here. And Forte :-)))
> Take a lok at this page:
> http://www.javalobby.org/fr/html/frm/javalobby/features/jpr/part3.html
Will do.
[SNIP]
> I admit, often Java is slower than C++, but whether your keystroke will get
> displayed after 10ms or 20ms within a text editor doesn't play any role, does
> it?
Nope. But in the system I do now there are no keystrokes :-)))
> He's speaking about C# here, right?
Loox like. I would like to see C# to be an independent std language. I
don't trust MS... They have dropped waaay to many things people invested
into...
> And keep in mind, C++ compilers are very old, while Java compilers are very
> young (only 3 years), so there's still potential for improvements. Compare
> current Java compilers with the first generation, more than ten times faster.
> Think how fast a full featured Java optimizer might be in two years. In theory
> a JVM could reach a speed level that isn't possible for C++ code, because a
> static compiler will never be able to optimize code beyond a certain level (it
> simply can't predict what will go on once the program is running), while a JVM
> with dynamic compiler will be able to look at the program during runtime.
May be so. I know that when I worked with CA-Clipper the actual Clipper
code (thanx to pcode and the very well optimized engine) was usually
faster and smaller than a C code written for the same task. Reason: the
Co code was _bad_ code, many thing repeatedly implemented etc. Since it
was big and complex.
> Also have an eye on the fact that also Java is so extremely young, there are
> already more books about Java programming than about C++ programming. And as I
> said before, universities prefer the usage of Java over C++. Mainly for two
> reasons:
> Cross-platform development and the ability to have a running BETA program
> before C++ programmers even have a concept.
Now if U have a C++ programmer (experienced, with his nice libraries) I
guess he will do a better quality work before the new Java guy learn
what is an array :-))) But yes, for people not knowing enough a very
high level language like Java is very good. Also the concept of the
Java platform is not bad. Altough I am sure that applications, which
receive very different kinds of loads and demands during their runtime
will be better optimized by a compiler which _does_ optimize _everyting_
to full extent...
> Don't get me wrong, I don't say Java is better than C++, just different.
Yep. C++ is a "low level" programming language (one hairline above
assembly, with OO capabilties) and Java is a programming platform.
> There's the right time and the right place for everything and low level,
> highspeed or realtime applications will always depend on a language like C++,
> but 90% of all user applications that current exist on the market could as well
> be written in Java.
Actually there is a self optimizing Java esp. for realtime... One
friend of mine loves it.
> And I know that I repeat myself, but you can always use native code in Java if
> you like. In that case you'll have to replace the native code for every
> platform you are supporting, but those native code is maybe 5-10% of your
> application.
Aha.
> E.g. I've used a Java application that DIRECTLY accesses OpenGL (without
> Java3D) and the speed was just like native C++ code . Never forget, there's
> JavaQuake. That is not a real Java version of Quake. Just the game is in Java,
> the sound, graphic and 3D engine is still in native code and there's no speed
> difference to the 100% native version.
Wow.
> The advantage for programmers:
> They only need to port the graphic, sound and 3D engine for all system they
> want to support. The game behind the engine (which makes Quake what it is) will
> run on every system, since it's Java.
And still on suggestion: before start programming in Java: learn what
goes on behind the scenes! Otherwise you are lost when you encounter a
problem. This is not meant to you, but those who think they became the
ultimate programmer if they can do things in Java.
Attila
Ps: Maybe we should go on in private? I am just waiting in fear for the
first guy from some NG to say: this is not a discussion forum :-((
More information about the Python-list
mailing list