William Stacey [MVP] <st***********@ mvps.org> wrote:
IMO, not worth reading. Very biased with leaps of logic.
And hugely inaccurate.
Let's see:
1) "The problem is .NET, Microsoft=3Fs slowly evolving and very difficult
to understand effort to network-enable everything [...]"
That gives a completely inaccurate idea of the aim of .NET. Network-
enablement is only a small part of the story.
2) "You can write a program in C# or Visual Basic.NET. .NET is almost
exclusively Just-In-Time compiled. JIT'ing means, "I was just about to
interpret this, but I'll compile it at the very last minute instead."
In effect, the .NET code remains in interpretation-intended form right
up until the end."
Given that it's exclusively JIT-ted, claiming that it's
"interpreta tion-intended" at any point is bizarre.
3) "Java is interpreted and subject to this same vulnerability"
Apparently Robert still lives in about 1996, when Java really *was*
interpreted. While HotSpot (the most commonly used JVM, I believe) is a
mixed-mode JVM, interpreting code sometimes and JIT-ting it at other
times, the vast majority of JVM execution is JITted code, not
interpreted.
4) "The result is that nearly every emerging Microsoft product is
vulnerable, including the OS itself. That=3Fs one reason why we are
always hearing more, not fewer, stories about Microsoft security
problems."
How many security vulnerabilities have been announced in .NET products?
5) "The answer to providing a modicum of security for interpreted
applications has to this point been obfuscation -=3F making the code look
different so it can be difficult to decompile and figure out."
No, the answer to providing security is in strong authentication of
code, and making sure that that code itself is secure. Something being
easily reverse engineered doesn't make something insecure: if your
security relies on people not knowing exactly what the program does,
your code isn't secure to start with. Security through obscurity just
doesn't work.
Those aren't all the problems with the article (the idea that dynamic
program changes should basically be variable renaming ones is
ridiculous) but they're the clearest ones...
--
Jon Skeet - <sk***@pobox.co m>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
