best language for 3D manipulation over web ?

[TGOS]

On Wed, 06 Jun 2001 12:53:11 +0300, Attila Feher <Attila.Feher at lmf.ericsson.se>
wrote:

>> So when I say UNIX is more secure than Windows, I mean UNIX itself, which is
>> the kernel, hardware driver, software drivers (like file systems) and the
>> programs that are absolutely necessary.
> 
> And what can you do with it? :-)))  Having a UNIX usually means to
> people: sendmail, awk, egrep, cat, etc. etc. many-many little utilities:
> which are great and which make UNIX tick...

Let's assume you need a router...all you need for that is a UNIX/Linux kernel
and a boot script...that's it.
Maybe you also install an SSH client (that only allows connection from the
local network) to change configuration, but despite that you don't need
anything. Such a router easily fit onto a floppy disc...even a router with
extra firewall may fit onto a single floppy disc.

Now let's build that system with WinNT...how much useless components do you
have to install, that are never used later on, but might cause security holes?
Exactly ^_^

Despite that, I doubt that WinNT actually has router/firewall functions
implemented into its kernel, so you are forced to install third party software
for this.


For a webserver you'll only need kernel and webserver application (the OS and
ONE piece of third party software). Sure, depending on what this server shall
be able to do (PHP, Perl, SSI, etc.) you may have to install a lot more than
only those 2, but whatever you need, you always just install the absolute
minimum necessary for your server.

>> When installing a UNIX system that shall be secure, you should disable
>> everything during installation that can be disabled (including server software,
>> XServer, etc.). A XServer for example is such a big security hole, that you can
>> push a whole elephant through it and nobody would recognize it ^_^
> 
> Uhhhh.  This I did not know.  Why is it so?

XServers usually have permanently opened ports and every open port is a
security risk. Sure, usually you can configure the XServer to disable those
ports within the configuration file, but let's stay realistic: XServers do have
bugs as well.

XServers are often "super applications", IOW they aren't treated like normal
user applications (my one has an own kernel module for speed boost, so it can
directly access hardware) and most admins forget that XServers can be a
security hole (IOW they don't disable the open ports).

Iif you make a SSH login to another PC and then start a XServer application,
the window it creates is then displayed on your desktop, not on the local one.
Now what if you can manipulate a XServer so it always forwards all Window data
to those open ports? Then a hacker/cracker would be able to see what's going on
at your screen for example.

So if you are building a router, firewall or webserver...don't install any
XServer, it's neither necessary nor advisable. Despite that, many crashes on
UNIX/Linux PCs are the fault of the XServer. If it crashes, it pulls all
graphical apps into nirvana.

The IRIX PCs at university are VERY stable, but their XServer crashes twice a
day. If that happens, you can't operate the system anymore from your local
desktop, but if you login from another PC, you'll see that everything is fine
(you can still run whatever you like without problems). So the OS itself didn't
crash, just the XServer. If you kill the XServer and restart it again, the PC
will continue to work.

<snip>

> Actuall Win31/311 Win95/8/me can be installed w/o GUI...  I mean not
> connected to the NET, install and then do some hack and U can remove the
> whole GUI.

Sure:
Open system.ini and replace "shell=Explorer.exe" with another GUI.
Try "shell=command.com" and you run Windows in text mode. You can start Windows
apps, that's no problem. E.g. type "start winamp" and then you can listen to
MP3 music. You just don't have a Desktop, a Taskbar or a Startbutton.

That way you don't get rid of the GDI, but of the Explorer (you can now delete
the EXE file as well as some other files). To get rid of the GDI, you must
download an alternative GDI (those exist) and simply exchange those two.

Thanks to "Rundll" you can create BAT files for shutting down your PC and other
things you are missing now. But I doubt that this all is possible in WinNT.

<snip>

>> And you must be careful when speaking about UNIX security holes. One of the
>> biggest security holes of all times was (or maybe still is) SENDMAIL. It needs
>> root rights to run correctly and that is a danger. You can intentionally crash
>> it (e.g. provoking a stack overflow and that way executing own code) and such a
>> crash can result in a new shell with root rights. That was one of the easier
>> ways to get root rights and immediately everyone said:
>> "Look, UNIX isn't secure at all!"
> 
> How can U get a root shell when you crash sth?  (I am not a cracker).

Don't ask me.

> I mean shouldn't the kernel/shell/whatever realize that the setuid stuff
> is out and simply return back?

Sendmail has plenty of buffers and some buffers were way too small.
E.g. if you use a 2000 char long e-mail address, but the buffer is only 50
chars and Sendmail doesn't check this, data will get written beyond the limits
of this buffer (that's a disadvantage of direct memory access instead of using
a char array).

Now you can get Sendmail executing a command for you, like "bash" and this bash
is then a root shell, because it was invoked by a root process.

> Isn't it so that the shell start up and
> it exec-s the setuid stuff, so there is no shell at all with root
> effective user?

I don't know the details either, sorry.
But some of Sendmails bugs can be found here:
http://www.wwdsi.com/demo/saint_tutorials/Sendmail_vulnerabilities.html

<snip>

> OK, but we all know that a UNIX system _does_ include sendmail and all
> the other stuff in people's mind.

Well, there are alternatives to Sendmail. Despite that, I found a webpage that
describes how you can install and use Sendmail, WITHOUT assigning root access
to it.

> I mean having a web server which
> cannot notify me of events (alarms) is not that good. :-(

There certainly other ways to notify you.
Despite that, a Unix system can send mails without Sendmail, e.g. via an
external SMTP server (the one where your mailbox is hosted).
 
<big snip>

>> I personally like the system of "wrappers". You neither use UNIX or Windows
>> APIs directly. You create your own wrapper API, that in once case is wrapped
>> around the UNIX/Linux APIs and once around the Windows APIs.
> 
> Yep.  But let's say I want to make a non-open-source stuff.

Then use non open source wrappers ^_^
Or even better, write your own wrapper.

Never thought about creating your own GUI library? Where all functions are
named like you want and that is optimized for your needs?

Just create such a library for your favorite system. Every method within your
library will only have a few lines of code and then make use of native OS
libraries for their actual task.

In your application, you just make use of your own GUI library (you'll loose
maybe 1-2% of GUI speed through this wrapping, but usually you won't even
notice).

If you now want to get your application running on a different system, just
pull out your library skeleton, delete all native functions and replace them
with native functions of this OS. Sometimes you will have to alter the
surrounding code a bit, but that's not a lot of work.


That's then _your own_ wrapper library. And even if your application is so
shitty that nobody wants to every buy it...maybe you get rich by selling your
wrapper library ^_-


I once made a game wrapper for Windows and Linux, with enough functions to
create very simple games (puzzle or card games, not Quake3 ^,^) and it was
already running very well (still had some bugs, but I'm sure I had fixed
those)...then I found out that I can write those simple games in Java (where it
also runs on other systems, not just Windows and Linux) and there's no
dramatically speed difference, so I dumped this project as a whole.

My library was too slow and not flexible enough for larger projects anyway, but
it was an interesting experience and up to now my only real experience with C++
(as I told you before, we only learn Java).

<snip>

>> Windows as a whole ins't open source, nevertheless you trust in its security,
>> don't you? ^_-
>> Despite that, some parts are open source.
> 
> Yep.  And it does has a Java VM(?) installed with IE... :-))))  That's
> why you need to know a lot to make the secure install.

Well, in case of Win9x, you can simply delete all Java classes and then Java is
gone. I don't use IE's Java, I surf the web with Opera (I'm proud to say that
I'm registered Opera user ... finally a piece of software I bought instead of
applying a crack ^,^) and Opera has no own Java. You must install a JRE of your
choice (currently using Sun JVM 1.3) and Opera will use it. BTW it will use it
directly, without the plug-ins that are needed for IE and NS. It directly
accesses the DLL where the JVM is inside - the same way the appletviewer is
doing it. Opera is currently the ONLY browser that is able to do this.

<snip>

> Anyone making assembly optimizations should be aware of that he creates
> _highly_ nonportable code.

But also highly speed optimized one.

> If one goes with C++ (and C) it is many
> times unnecessary, even evil.  A well written C/C++ code will provide
> the same ASM stuff.

That depends.
Most compilers allow you to preview your C++ code in Assembler, the way it is
also translated when getting compiled. If you take a look at that code and
compare it to hand written code, it's quite different.

A tiny C++ program may result in 1,000 lines Assembler code, while when you
write the same thing directly in Assembler, you may only need 400 lines.
Despite that you can make use of processor features like SSE2, which can
perform certain calculations 4 times faster than using classic x86
instructions; very helpful when applying the same function onto an whole array
of numbers. C++ won't use those features, because therefor it would need to
know how the program behaves during runtime.

Sure, this code will only run on a specific platform, often only on a specific
CPU, but nonetheless it's done pretty often. This doesn't mean that your whole
application can't be cross-platform.

You may write the same function multiple times:
1. Plain C++
2. x86 Assembler (386 or higher)
3. x86 Assembler (Pentium MMX or higher)
4. x86 Assembler (Pentium3 SSE or higher)
5. x86 Assembler (AMD Athlon 3DNow or higher)
6. x86 Assembler (Pentium4 SSE2 or higher)
7. PowerPC Assembler (...sorry, don't know those numbers...)
8. PowerPC Assembler (with 'AltiVec' or whatever their extension is called)
9. some other CPU
10. some other CPU
11. some other CPU
12. some other CPU

Now when your program starts, it detects the CPU of your system and depending
on what it found, 2 - 12 is used. If the CPU type is unknown, there's still 1
that got compiled on that system and that way will certainly run.

I bet optimizations of that kind are done in applications like:
Maya 3.0a http://www.aw.sgi.de
Houdini 4.1 http://www.sidefx.com

Both run on:
WinNT, Win2000, Linux and IRIX.
In case of Maya, a Mac version is currently in development.

<snip>

[ Windows Registry ]

> And once it crashes you have to reinstall _everything_, probably
> including nice data loss...

Exactly, that's why applications shouldn't store their data there. So I can
reinstall Windows, without being forced to reinstall a single application.
That way I would loose file associations, but that's not such a big deal.
 
>> Every user should have his/her own registry (and not just a sub-tree)
> 
> TOTALLY agreed.

See, we can agree to many different things ^__^

Especially if every user had his/her own registry, different users could have
different file associations (one user may like to open DOC files with Word, but
someone else may like to open them with StarWriter) and different hardware
settings (sometimes that's an advantage).

<snip>

>> Forte?
>> Nah, I don't use Forte, I use JBuilder.
> 
> Can one get one to learn for free?

Sure.
The current version (JBuilder 5) is commercial, but they were kind enough to
give away their older version (JBuilder 4) for free!

Go here:
http://www.inprise.com/jbuilder/foundation/

And download it for free. They support the following platforms:
Windows, Linux and Solaris

JBuilder itself is written in Java, but it comes with an own JDK and an own
setup application (both are native). Once its installed, I was able to delete
its custom JDK (but careful, you can't delete everything of it. If two of the
JAR files are missing, some features don't work anymore!) and to manipulate it,
so that it now runs with the JDK that I installed on my system previous to
JBuilder.

IOW in theory you are even able to run it on other UNIX systems than Solaris.

Before you can use it after install, you must register at the Inprise homepage
to get an activation key. This registration is for free, you just answer a few
questions and they'll send you the key via e-mail.
 
<snip>

>> You can't really filter the web. You can try, but it will never be really
>> effective.
> 
> Simple.  One allows only few addresses/IPs to be reached :-)))  Opposite
> filtering :-)))

I don't think they are doing this...actually I know it.
Do you know Audiogalaxy? It's like Napster (sharing MP3 files), but unlike
Napster it's still unfiltered and they even have a client for Linux.

I use it once a while and there you can look who's online at the moment (of
course you don't see the real names of people, just their screen names), sorted
by country. And once a while a few people from China are online ^_^

And as I know the Chinese government, I doubt that they would allow users to
access Audiogalaxy, because they also have discussion forums there. So Chinese
people can discuss with the rest of the world.

 
> Hm.  RAM will be the issue here.

Let's say it that way:
One thing that makes Java slow is the garbage collector and the more RAM you
have, the less often it must start to clean it up.

IBM's JVM is faster than Sun's, but it also uses more RAM (where Sun's uses
16 MB, IBM's may use 22 MB) ...maybe not a coincident.

Java doesn't need a very fast CPU (remember, very simple devices can run Java
like cell phones), but a decent amount or RAM is pretty helpful.

<snip>

> Now if U have a C++ programmer (experienced, with his nice libraries) I
> guess he will do a better quality work before the new Java guy learn
> what is an array :-)))

But the C++ programmer may use direct memory access and the result is something
like Sendmail, which doesn't happen when using an array. ^_-

Despite that, C++ programmers don't need to know what an array is?

<snip>

> And still on suggestion: before start programming in Java: learn what
> goes on behind the scenes!  Otherwise you are lost when you encounter a
> problem.

That's what I'm currently trying. The first thing I did was looking at the
source code of all classes that are shipped with Java and I found out that they
seem to be rather optimized for small size than for high speed.

> Ps: Maybe we should go on in private?  I am just waiting in fear for the
> first guy from some NG to say: this is not a discussion forum :-((

Really? So what is it?
IMHO a Newsgroup *is* the prototype of a discussion forum and Usenet was
created for discussions.

But the e-mail address in my header is valid, so you can also reply via mail if
you prefer.

-- 
TGOS