If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#16
|
|||
|
|||
Name of file utility?
R.Wieser wrote:
Ken, If I remember correctly, it defaults to that. The first thing you should do with it, or any other programs, is to go to its settings and change defaults you don't want to what you do want. That sounds good, but is a bit problematic: You have to start the program to change its settings, and guess what the first thing the program attempts to do (before you have a chance to change anything) ? Yep, you got it. Yes, I understand that you didn't set it to do that, but by not checking the defaults and changing them to what you want, in effect you did. I'm sorry, but with that "logic" you're presenting yourself as untrustworthy. As an MVP you should have been aware of the above mentioned, rather obvious, race condition. End of communication I'm afraid. Goodbye. Regards, Rudy Wieser But as a Rocket Scientist, you of course know you can unplug the network cable, any time an untrustworthy piece of software is being played with. It certainly stops Windows Update in its tracks :-) Then you can configure it, tease it, torture it, and so on. Disable any update services. Paul |
Ads |
#17
|
|||
|
|||
Name of file utility?
Vanguard,
Thanks for your response. Though I think we are talking from quite different starting points: You accept all the cruft thats delivered with a program and try to limit its reach, I myself try to simply keep it out (not have it) to begin with. For example, there have been a couple occasions where I did want to enable scripting because I knew the author of the PDF and he was validating the input fields to eliminate wasting time with boobs that enter the wrong data The above is one of the reasons why I stressed "document viewer". I do not want a PDF to behave like a browser (with all of its inherent security issues). Eliminates getting incorrectly filled-in forms Nope. Believe me, it doesn't. If you can make a form which stops fools from entering incorrect data they will simple come up with better fools. :-) It also creates a *new* problem, where the filter can actually stop you from entering true data, because it refuses to "believe" it is (like putting a lower limit of 3 chars to a sirname. Not funny when your name is Hu, of chineese decendancy). The PDF feature that I hate most is the ability to launch an action when loading a PDF. In my viewer I tried to disable it (by erasing the command string in the executable). Alas, the (string!) command seems to be used internally too, so nothing worked anymore ... Lastly, PDFs can have attachments of any filetype. I configure my PDF viewer to not allow any attachments other than PDFs I assume that you are talking about in-webpage viewing of PDFs. I have disabled that behaviour. I save first, and view (as far as the PDF viewer is concerned) off-line. Sounds like you have a problem with configuring the settings of a program so it behaves how you want and not the defaults which may conflict with your preferences. Not really. And if I cannot figure settings out myself google is close by. :-) The "problem" I have is that I do not think its logical to have certain functionality present in a program, only to have to put effort into it to figure out to block it (permanently). Also, as the complexity of a program goes up (even if the functionality isn't used), the chance that some of it can be used in ways not ment/allowed goes up too. Sorry but I have not used uber-dumb PDF viewers of which you request. Still, thanks for the suggestions. I can't remember if I did check SumatraPDF... Since you didn't address using Google Chrome with its built-in PDF viewer to eliminate further overhead of installing a PDF viewer app, I rather have several seperate programs. That way when one malfunctions I can easily disable, or even uninstall it without having to disable everything. It also makes it possible to pick and combine the solutions *I* like best, instead of having one big program where one part works great, but has another part which doesn't -- for which I than have to install another app anyway. :-\ With either web browser, there is no bloat to install another PDF viewer. It's already in the web browser. :-) Thereby bloating the webbrowser. I think I mentioned "feature creep" before. Regards, Rudy Wieser -- Origional message: VanguardLH schreef in berichtnieuws ... R.Wieser wrote: Vanguard, Scripting, attachments, and launch actions are part of the PDF specification. Of the *current* spec ? That might be true. I don't know when scripting, attachments, or launch actions were added to the PDF specification. Not really that interested in something that showed up 6 years, or more, ago. If the author saves their .pdf in an old PDF format then those features won't be available. While 3rd party PDF viewer authors allow you to disable scripting, Adobe added a sandbox to their Reader app which further restricts what privileges their ECMAscript has and what changes it can make. I haven't yet seen any of the 3rd party PDF viewers add a sandbox. http://blogs.adobe.com/security/2010...er-protected-m ode.html (yep, dated back to 2009, so it's been there for awhile but needed improvement in their first implementation) http://www.adobe.com/devnet-docs/acr...ectedmode.html and its links to: https://helpx.adobe.com/acrobat/kb/p...ing-reader.htm l http://www.adobe.com/devnet-docs/acr...ctedmode.html# read-policy-changes-for-11-0 I switched away from Adobe Reader a long time ago (so I don't remember what version I was using back then) and went to PDF-Xchange Viewer which was more secure because I could configure it that way: disable Javascript (but prompt), disable launch action, and allow only .pdf attachments in .pdf files. Note: I don't know if PDF-Xchange got around to adding these same security settings in their Editor product that was supposed to supercede their Viewer product. I asked about their absence a long time ago, they said the options would show up, but I didn't bother to wait and went back to their Viewer app. Eventually after researching the sandbox (Protected Mode) and further throttling (Enhanced Security), I decided Adobe Reader was more secure than PDF-Xchange Viewer. While you can read up on security vulnerabilities for Adobe Reader, you can't find any published for PDF-Xchange Viewer. That doesn't mean PDF-Xchange Viewer doesn't have any, only that you can't get info from them about defects in their software. Because vulnerabilities have been found in Adobe's sandbox implementation in the past, I configure Adobe Reader to also use Enhanced Security (it's off, by default, when installed because it interferes with the user's experience of using Reader and reading the PDF. Be aware, however, that using multiple levels of sandboxing can cause problems. If, for example, you load Adobe Reader in another sandbox (e.g., Avast's sandbox) that Adobe Reader won't work. I don't remember the symptom but once I realized that Avast was sandboxing Adobe Reader then my choice was to : (1) configure Avast not to sandbox Adobe Reader's sandbox; or, (2) let Avast sandbox Adobe Reader and disable Protected Mode in Adobe Reader. A sandbox in a sandbox will have problems. For Adobe Reader, I also enable Enhanced Security. You can read about it at: http://www.adobe.com/devnet-docs/acr...at_Enhanced_Se curity_FAQ.pdf That means PDFs are even more throttled. A yellow infobar shows up telling me about the throttling so I can decide whether to decrease security to gain more features of viewing the PDF. Next to that I regard at least two of the above "features" as security holes. While I disable scripting, I understand where and why it is helpful. The only places that I have found scripting used in PDFs is when the author wants to valid the user's input in forms, like making sure they enter a number in a numerical field and that its value is within the range allowed. Eliminates getting incorrectly filled-in forms. The only places I remember hitting such scripted PDFs were internal docs in a company and gov't forms. Scripting makes for a smart PDF form instead of hoping the user inputs the correct data. The PDF feature that I hate most is the ability to launch an action when loading a PDF. That is, when you load the PDF, it can have an action (command) specified to launch. I disable that as I want to be informed BEFORE any launch action is committed. Lastly, PDFs can have attachments of any filetype. I configure my PDF viewer to not allow any attachments other than PDFs. So a PDF can only have a PDF attachment (which will load under the same security restraints as configured in the viewer app). If you use the defaults of ANY program then you have elected to have someone else decide what setup of the program is best for you. If they go to the trouble of providing you with options then go review them to know how YOU want to use the program. For example, there have been a couple occasions where I did want to enable scripting because I knew the author of the PDF and he was validating the input fields to eliminate wasting time with boobs that enter the wrong data. Afterward I disabled scripting again. The PDF viewer is configured to prompt me if a PDF wants to run a script so I can decide Yes or No. This is just like configuring Windows Update to prompt when there are new updates but *I* decide when to download and apply them. Do you also use the defaults of 3rd party anti-virus or firewall software you install on your computer? Sure, if you want their default level of protection but not if you want to take advantage of more advanced features which typically means more interference since security and ease-of-use are the anti-thesis of each other. Expect responses to duplicate your efforts in finding a PDF viewer that you like since you didn't mention which ones you have already reviewed. Irrelevant. Suggesting *any* reader which includes either of those features would be counterproductive, regardless of if I had already seen it or not. Sounds like you have a problem with configuring the settings of a program so it behaves how you want and not the defaults which may conflict with your preferences. Reviewing preferences or settings is how you learn what the program can do. Have you ever reviewed the settings available in your word processor? Sorry but I have not used uber-dumb PDF viewers of which you request. I Simply configure them the way that I want regarding security. I mentioned SlimPDF because supposedly its focus is only to view and printer PDFs, not to do anything else. With a file size of only 1.43 MB, I doubt it has the space to include code to perform Javascript parsing and execution. I only vaguely recall GsView (http://www.gsview.com/). I think it was available as a download from the Ghostscript site when I trialed it. It was a very basic PDF viewer; however, it is a 26MB download so it doesn't seem a small viewer. They might include a copy of Ghostscript (14 MB) instead of the installer optionlly downloading it and starting its install. You can search Google Images to see what its GUI looks like. It is nagwa nags when you load it. It can display only one PDF page at a time. You have to hit the back and forward buttons to move through the pages instead of using a scroll bar. After all, it's just a GUI front-end to Ghostscript so buffering and scrolling are features added in smarter viewers. SumatraPDF, also already mentioned, is only a 4.3 MB download, so it may be too small to include a Javascript interpreter. It's GUI is less archaic than GSview's. http://www.sumatrapdfreader.org/manual.html says it has an advanced mode to reduces the app's privileges or actions. It also says "Editing interactive forms and adding comments is not implemented" so my guess is that it does not support scripting (which is required for "interactive" forms). You have to edit a settings.ini file instead of using GUI menus with dialogs to select settings. Since you didn't address using Google Chrome with its built-in PDF viewer to eliminate further overhead of installing a PDF viewer app, I'll assume you don't use Google Chrome. Firefox might be your choice and that also comes with a built-in PDF viewer (pdf.js). PDF.js is an Apache Javascript library to convert PDFs into HTML5 formatted docs. With either web browser, there is no bloat to install another PDF viewer. It's already in the web browser. |
#18
|
|||
|
|||
Name of file utility?
Paul,
But as a Rocket Scientist, ... What would you rather do: Keep a thief out of your house, or invite/keep inviting him in and having have to think about all the ways he could use to do his "hobby", and how you can keep making sure that it doesn't happen (locking the silverware up, together with wallets and all kinds of car/house/etc. keys) ? One moment of distraction, one small mistake and you loose (it) you know ... I don't know about you, but I'm definitily choosing for the first option. :-) But yes, I had disconnected the cable for just that reason. Disable any update services. :-) Regards, Rudy Wieser -- Origional message: Paul schreef in berichtnieuws ... R.Wieser wrote: Ken, If I remember correctly, it defaults to that. The first thing you should do with it, or any other programs, is to go to its settings and change defaults you don't want to what you do want. That sounds good, but is a bit problematic: You have to start the program to change its settings, and guess what the first thing the program attempts to do (before you have a chance to change anything) ? Yep, you got it. Yes, I understand that you didn't set it to do that, but by not checking the defaults and changing them to what you want, in effect you did. I'm sorry, but with that "logic" you're presenting yourself as untrustworthy. As an MVP you should have been aware of the above mentioned, rather obvious, race condition. End of communication I'm afraid. Goodbye. Regards, Rudy Wieser But as a Rocket Scientist, you of course know you can unplug the network cable, any time an untrustworthy piece of software is being played with. It certainly stops Windows Update in its tracks :-) Then you can configure it, tease it, torture it, and so on. Disable any update services. Paul |
#19
|
|||
|
|||
Name of file utility?
R.Wieser wrote:
Vanguard, Eliminates getting incorrectly filled-in forms Nope. Believe me, it doesn't. If you can make a form which stops fools from entering incorrect data they will simple come up with better fools. :-) Yes, it DOES reduce the number of invalid inputs. I didn't say the error checking could not be surmounted since it depends on the programmer who writes the checking code. It's easy to require a specific data type in a field (e.g., numeric) and to ensure it is not a negative value and that it is within a range of valid values. Beyond that, just how is a user going to put in a text string or numeric values not within range? You know as well as do I that no one is going to bother adding script to a PDF unless its intent is to do something the author wants, like validating input. If you don't like what's put into a PDF, the real culprit to complain at is the author of the PDF. It also creates a *new* problem, where the filter can actually stop you from entering true data, because it refuses to "believe" it is (like putting a lower limit of 3 chars to a sirname. Not funny when your name is Hu, of chineese decendancy). Maybe that's why the form was coded not to accept 2-character names. ;- I haven't seen a programmed (scripted) PDF that required more than 1 character for a name field. I've run across some of those and I could just put in a single character for first and last name. The script did check my name did not begin with a numeric or special character, like 007Bond or !Roger. Lastly, PDFs can have attachments of any filetype. I configure my PDF viewer to not allow any attachments other than PDFs I assume that you are talking about in-webpage viewing of PDFs. I have disabled that behaviour. I save first, and view (as far as the PDF viewer is concerned) off-line. Nope, I'm talking about the .pdf file itself can have a block of binary strings which constitute an attachment WITHIN that .pdf file. Nothing to do with the web. A .pdf file sitting on your hard disk can contain an attachment (just like an e-mail can have an attachment which is just a MIME part within the body of the e-mail containing a long encoded string). So the .pdf file could carry along an .exe attachment that someone could be fooled into running. I have yet to get a .pdf file with an embedded attachment. http://blogs.adobe.com/insidepdf/201...tachments.html While .doc files have structure to track changes to a document (so you can tell who changed what or, at least, what got changed from the prior revision of the document), I don't recall ever hearing file versioning was a feature of a PDF. So, as I've read, one purpose of attaching a ..pdf within a .pdf is to provide the altered .pdf but include a copy of the original .pdf. More info below: http://blogs.adobe.com/insidepdf/201...tachments.html The "problem" I have is that I do not think its logical to have certain functionality present in a program, only to have to put effort into it to figure out to block it (permanently). There are users that want the simplest or most basic functionality of a viewer. While I use TrueCrypt, some users prefer the more simplistic BestCrypt Portable (which is free, the full version is not) for securing content inside a container. Rarely have I seen programs that are built as a "cottage industry" component model where you get to pick and chose what features it will have. Usually for custom installs, you are omitting ancilliary software, not eradicating a chunk of code in the executables for the program itself. That's why settings are provided. To get the least features (without involving settings) typically requires you find the least featured program. That's why I figure the tiny PDF viewers would have the fewest features. Since you didn't address using Google Chrome with its built-in PDF viewer to eliminate further overhead of installing a PDF viewer app, I rather have several seperate programs. That way when one malfunctions I can easily disable, or even uninstall it without having to disable everything. I also disable the in-browser (plug-in) option of any PDF viewer that I use. I'd rather see the document in a separate viewer than buried in the tabs of a web browser. To many documents getting melded together under one app (web browser). In fact, I got into that habit because PDF-Xchange Viewer has *2* settings groups: one for the PDF viewer itself and a separate one for the plug-in PDF viewer used in the web browser. I would change some settings in the full program but they were not reflected in the plug-in viewer. I had to make the same setting change in 2 places. With either web browser, there is no bloat to install another PDF viewer. It's already in the web browser. As you've noted, feature creep has been a property of web browsers ever since users moved away from Lynx or similar text-only web browsers. Hell, web browsers are claiming HTML5 compatibility despite that not all of HTML5 has been ratified and isn't expected to get ratified until around 2020 to 2022. I figure the tiny PDF viewers are those that won't have all the bell and whistles to support all the features available in PDFs. If they are tiny, they don't have room to include a Javascript interpreter. They are too tiny to allow annotation in a PDF. And they're probably too tiny to provide code to execute launch actions or extract the encoded string within a PDF to get at an attachment internal to that PDF. |
#20
|
|||
|
|||
Name of file utility?
R.Wieser wrote:
Ken, If I remember correctly, it defaults to that. The first thing you should do with it, or any other programs, is to go to its settings and change defaults you don't want to what you do want. That sounds good, but is a bit problematic: You have to start the program to change its settings, and guess what the first thing the program attempts to do (before you have a chance to change anything) ? Yep, you got it. If you install unknown software and are concerned that it performs an update check or phones home for some other reason, tis easy to disable the NIC in your computer. Most users have a tray icon showing activity on the NIC, or eventually they enable the option to show the networking tray icon. You can disable the Ethernet connection using the tray icon (re-enabling takes a bit more effort). Powering off the router works, too. Just because you are physically connected to a network doesn't mean your host must send traffic there. If you use 3rd party firewall software, most good ones can be configure or by default will prompt you when a previous unauthorized process attempts to make an outbound connection. While the Windows firewall is primarily configured to guard against unsolicited inbound connections, it can be configure to restrict outbound connection; however, it is a pain to figure out why a program isn't working without a prompt about the network block. http://www.sphinx-soft.com/Vista/order.html and http://wokhan.online.fr/progs.php?sec=WFN give you prompts and more control over how the Windows Firewall can be made more hospital in controlling outbound connects; however, while it does not install any software (that continues to run in the background, only to use the events in Windows and change the configuration of the Windows Firewall), I'd probably go with a 3rd party firewall. Usually those provide a tray icon you can simply right-click on to disable it thereby block all network traffic in or out. |
|
Thread Tools | |
Display Modes | |
|
|