

Silverlight Web OS Lets You Develop Apps Online And Share Them With a Click - happyjoe
http://www.silverlightshow.net/news/New-Silverlight-web-OS-lets-you-develop-applications-online-and-share-them-with-a-click-Wiki-OS.org.aspx

======
idm
Extremely impressive. ...although it's not clear why this isn't a huge vector
to cause all sorts of havoc.

The idea of having an executable sandbox that anyone can drop executable code
into sounds famously ill-conceived. Every time a site like yahoo mail or
myspace has a javascript sanitation problem, this causes major problems..

Sure, the "web at large" is like a big space filled with executable scripts,
but at least there is a level of accountability established by the site that
is hosting any scripts you're executing.

While javascript might execute in a sandbox, it's still wise to use NoScript.
I don't know enough about silverlight to know whether or not to trust it, so
by default, I am skeptical. I'm even more skeptical of a site that built on
the idea of user-contributed apps that run in a silverlight sandbox.

I do appreciate the built-in ability to view the source code of the apps,
however. The reputation system for apps might also make it possible to crowd-
filter out the worst ones. All the same, I saw an app named "infinite" that I
imagine amounts to a denial of service. Yes, it was voted "-1" but it's
probably a DOS, lurking in the user-submitted apps.

Interesting experiment, but I have reservations.

~~~
trunnell
_although it's not clear why this isn't a huge vector to cause all sorts of
havoc._

First the larger question: Is the Silverlight sandbox safe? The Silverlight
CoreCLR security model is a simplified version of the full CLR security model
[1].

Some callouts:

\- C# "unsafe" code blocks, which let you access raw pointers, are not
allowed.

\- P/Invoke and COM Interop are not allowed.

\- There are whole categories of the .NET class library that have been
removed, a notable example being local file access. Silverlight is not like
Adobe AIR, which gives you all sorts of native APIs.

\- Socket communications are restricted by default to the original host from
which the Silverlight app was downloaded. Cross-domain access can be granted
by supplying either a Flash policy file or a Silverlight-native policy file.
[2]

Therefore, to say whether this could be used for DDOS attacks on other hosts,
we need to look at the network access policy file. Here it is:
<http://www.wiki-os.org/clientaccesspolicy.xml> . As configured now, Wiki-OS
allows incoming HTTP connections from any host, but outgoing connections are
only permitted to the original host (and outgoing connections can only use the
WebClient-- outgoing raw socket connections are not allowed).

This is interesting. If I'm reading that file correctly, it seems you could
write a Wiki-OS network server but not a DDOS vehicle.

[1] "Security In Silverlight 2" <http://msdn.microsoft.com/en-
us/magazine/cc765416.aspx>

[2] "Network Security Access Restrictions in Silverlight"
<http://msdn.microsoft.com/en-us/library/cc645032(VS.95).aspx>

~~~
idm
With regards to the "infinite" program, I meant a DOS on YOUR machine,
completely irrespective of network access. ...at least enough to force you to
close the tab or the browser. I assume the sandbox is good enough to keep the
process from causing the machine to become unresponsive, but hey...

Your conclusion is quite interesting, with respect to the possibilities of
wiki-os. That's potentially a quite powerful feature.

------
alain94040
And now it works on my Mac (one of the main complaints the first time it
launched <http://news.ycombinator.com/item?id=734886>) so I can actually play
with it.

------
byoung2
This is really cool...the best use of Silverlight I've seen so far. Now
Microsoft just needs to cook a clever implementation of Silverlight into the
next version of Windows Mobile to have a truly powerful mobile platform.

~~~
jrockway
"next version of Windows Mobile"

Is there even a plan for this? It seems like Microsoft clearly lost this one
and doesn't even care anymore.

~~~
listic
Really? Who won then?

Last times I checked, Windows Mobile is the prevalent operating system on
phones.

~~~
jrockway
Which is several years behind Android and iPhone OS in terms of features, with
no new release announced.

~~~
jawngee
What's it like being wrong so frequently, as you seem to be on HN:

[http://www.google.com/search?q=windows+mobile+7&ie=UTF-8...](http://www.google.com/search?q=windows+mobile+7&ie=UTF-8&oe=UTF-8)

~~~
jrockway
Let me guess, it includes WinFS too!

------
socratees
I feel that the whole web concept using a browser based interface is a bit
hyped now. And anyways believe it or not, iPhone is the first true Web OS. And
so is Google Android. It's sad Microsoft hasn't taken this kind of thing
seriously yet.

~~~
axod
>> "It's sad Microsoft hasn't taken this kind of thing seriously yet."

I'm sort of pleased. Look what happened when they took Netscape seriously. We
got years of crappy IE dominance.

The longer they flap around all confused while the rest of us move forward,
the better.

Pretty soon the advantage of silverlight/flash over HTML5/js will be 0. It's
pretty slim as it is IMHO.

------
rbanffy
Just what nobody needed!

