<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_01_06_2012204</id>
	<title>2010 Will Be the Year of Sandboxing Apps</title>
	<author>timothy</author>
	<datestamp>1262766240000</datestamp>
	<htmltext>Trailrunner7 writes <i>"In a  guest editorial on Threatpost, Mac hacker and security researcher Dino Dai Zovi writes that 2010 will be the year that software vendors get religion about <a href="http://threatpost.com/en\_us/blogs/i-have-only-one-security-prediction-2010-010610?utm\_source=Threatpost&amp;utm\_medium=Tabs&amp;utm\_campaign=Today's+Most+Popular">sandboxing untrusted data in desktop apps</a>. 'Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one:  2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time. The largest Internet security threats now arrive through malicious web pages or e-mail attachments.  This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall.  Security is not and never was about SYN packets, it is about data: the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get a hold of if they can exploit vulnerabilities in that software.'"</i></htmltext>
<tokenext>Trailrunner7 writes " In a guest editorial on Threatpost , Mac hacker and security researcher Dino Dai Zovi writes that 2010 will be the year that software vendors get religion about sandboxing untrusted data in desktop apps .
'Instead of the usual top ten lists that are all-too-common with predictions for the new year , I have just one : 2010 will be the year of desktop applications handling untrusted data in sandboxed processes , and it will be about time .
The largest Internet security threats now arrive through malicious web pages or e-mail attachments .
This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall .
Security is not and never was about SYN packets , it is about data : the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get a hold of if they can exploit vulnerabilities in that software .
' "</tokentext>
<sentencetext>Trailrunner7 writes "In a  guest editorial on Threatpost, Mac hacker and security researcher Dino Dai Zovi writes that 2010 will be the year that software vendors get religion about sandboxing untrusted data in desktop apps.
'Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one:  2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time.
The largest Internet security threats now arrive through malicious web pages or e-mail attachments.
This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall.
Security is not and never was about SYN packets, it is about data: the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get a hold of if they can exploit vulnerabilities in that software.
'"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677972</id>
	<title>Re:How about reducing the surface area?</title>
	<author>jonaskoelker</author>
	<datestamp>1262789520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>I'd rather be safe than "wow"ed.</p></div><p>Your users (family members etc.) <em>think</em> they're safe, and want to be wow'ed.  They're going to complain if they can't be.</p><p><div class="quote"><p>Don't even *offer* to automatically open a file after downloading.</p></div><p>What's gained by having the user traverse a path of directories before opening the file manually, versus having the user explicitly ask for the file to be opened automatically at some later point?  I mean, it's going to get opened one way or the other, right?</p><p>When's the last time you downloaded a file and then immediately decided never to open it?</p></div>
	</htmltext>
<tokenext>I 'd rather be safe than " wow " ed.Your users ( family members etc .
) think they 're safe , and want to be wow'ed .
They 're going to complain if they ca n't be.Do n't even * offer * to automatically open a file after downloading.What 's gained by having the user traverse a path of directories before opening the file manually , versus having the user explicitly ask for the file to be opened automatically at some later point ?
I mean , it 's going to get opened one way or the other , right ? When 's the last time you downloaded a file and then immediately decided never to open it ?</tokentext>
<sentencetext>I'd rather be safe than "wow"ed.Your users (family members etc.
) think they're safe, and want to be wow'ed.
They're going to complain if they can't be.Don't even *offer* to automatically open a file after downloading.What's gained by having the user traverse a path of directories before opening the file manually, versus having the user explicitly ask for the file to be opened automatically at some later point?
I mean, it's going to get opened one way or the other, right?When's the last time you downloaded a file and then immediately decided never to open it?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677030</id>
	<title>Re:you mean like an operating system is supposed t</title>
	<author>Anonymous</author>
	<datestamp>1262783100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>So give each system process its own user ID. That's how it's done on production servers. Problem solved.</p></htmltext>
<tokenext>So give each system process its own user ID .
That 's how it 's done on production servers .
Problem solved .</tokentext>
<sentencetext>So give each system process its own user ID.
That's how it's done on production servers.
Problem solved.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675510</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678176</id>
	<title>Re:Instead of validating inputs</title>
	<author>jhol13</author>
	<datestamp>1262791440000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>We have tried the "validating" approach for 20 years and it is still failing at a tremendous rate.</p><p>Maybe it is time to try something else?</p></htmltext>
<tokenext>We have tried the " validating " approach for 20 years and it is still failing at a tremendous rate.Maybe it is time to try something else ?</tokentext>
<sentencetext>We have tried the "validating" approach for 20 years and it is still failing at a tremendous rate.Maybe it is time to try something else?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675314</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674746</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>AvitarX</author>
	<datestamp>1262771760000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><i>It was never meant to be anything more than a way to view mainly static documents, and quickly access other linked documents.</i></p><p>You are wrong wrong wrong.  For many years now the browser has been meant for more than that.  It originally may not have been meant for more than that, but to say it never was is stupid.  The reason MS panicked about it was there was an express intent of making the browser more than that.</p></htmltext>
<tokenext>It was never meant to be anything more than a way to view mainly static documents , and quickly access other linked documents.You are wrong wrong wrong .
For many years now the browser has been meant for more than that .
It originally may not have been meant for more than that , but to say it never was is stupid .
The reason MS panicked about it was there was an express intent of making the browser more than that .</tokentext>
<sentencetext>It was never meant to be anything more than a way to view mainly static documents, and quickly access other linked documents.You are wrong wrong wrong.
For many years now the browser has been meant for more than that.
It originally may not have been meant for more than that, but to say it never was is stupid.
The reason MS panicked about it was there was an express intent of making the browser more than that.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679096</id>
	<title>Re:Bill Gates isn't CEO any more</title>
	<author>drsmithy</author>
	<datestamp>1262799840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p> <i>Slashdot needs to retire the Bill Gates Borg picture.</i>
</p><p>Are you kidding ?  It's the *epitomy* of Slashdot.</p></htmltext>
<tokenext>Slashdot needs to retire the Bill Gates Borg picture .
Are you kidding ?
It 's the * epitomy * of Slashdot .</tokentext>
<sentencetext> Slashdot needs to retire the Bill Gates Borg picture.
Are you kidding ?
It's the *epitomy* of Slashdot.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675154</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674662</id>
	<title>Old news?</title>
	<author>COMON$</author>
	<datestamp>1262771280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Wasnt sandboxing the cool word about 10 years ago?</htmltext>
<tokenext>Wasnt sandboxing the cool word about 10 years ago ?</tokentext>
<sentencetext>Wasnt sandboxing the cool word about 10 years ago?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674862</id>
	<title>wha?</title>
	<author>jasno</author>
	<datestamp>1262772360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p>Security is not and never was about SYN packets</p></div></blockquote><p>Security is about everything, period.</p></div>
	</htmltext>
<tokenext>Security is not and never was about SYN packetsSecurity is about everything , period .</tokentext>
<sentencetext>Security is not and never was about SYN packetsSecurity is about everything, period.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676448</id>
	<title>Good choice Lumpy: I noted it too... apk</title>
	<author>Anonymous</author>
	<datestamp>1262779860000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><div class="quote"><p><b>"sandboxie... Great program, will NOT work on a 64 bit OS. IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it. Click on everything, it's all sandboxed."</b> - by Lumpy (12016) on Wednesday January 06, @03:32PM (#30674480) Homepage</p></div><p>Per my subject-line above Lumpy, again: GOOD CHOICE!</p><p><a href="http://tech.slashdot.org/comments.pl?sid=1500360&amp;cid=30676292" title="slashdot.org" rel="nofollow">http://tech.slashdot.org/comments.pl?sid=1500360&amp;cid=30676292</a> [slashdot.org]</p><p>Albeit, I extolled what I am PRETTY SURE is the "mechanics" of HOW it works, which is via a FILTERING DRIVER (and that's WHY it won't work on 64-bit OS, because it doesn't have a 64-bit driver ported for it... not yet @ least, but, I am sure it will one day!).</p><p>I use it myself, albeit, on a TRUE SSD (so its F A S T on writes too, because of how it works? It helps... less latency, &amp; especially on writes to disk!).</p><p>It's probably the CLOSEST thing Win32 has right now to a *NIX-style "Chroot jail" basically... @ least in effect.</p><p>APK</p><p>P.S.=&gt; Again: Good choice on your part though... &amp;, always NICE to meet another "coinnoiseur" of Win32 freeware/shareware apps also! Glad this post on<nobr> <wbr></nobr>/. reminded me to look if there was an update, &amp; recently (last month)? There was, so I went "up" from version 3.30 to 3.42, which is usually always good! apk</p></div>
	</htmltext>
<tokenext>" sandboxie... Great program , will NOT work on a 64 bit OS .
IT has kept my Daughter 's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it .
Click on everything , it 's all sandboxed .
" - by Lumpy ( 12016 ) on Wednesday January 06 , @ 03 : 32PM ( # 30674480 ) HomepagePer my subject-line above Lumpy , again : GOOD CHOICE ! http : //tech.slashdot.org/comments.pl ? sid = 1500360&amp;cid = 30676292 [ slashdot.org ] Albeit , I extolled what I am PRETTY SURE is the " mechanics " of HOW it works , which is via a FILTERING DRIVER ( and that 's WHY it wo n't work on 64-bit OS , because it does n't have a 64-bit driver ported for it... not yet @ least , but , I am sure it will one day !
) .I use it myself , albeit , on a TRUE SSD ( so its F A S T on writes too , because of how it works ?
It helps... less latency , &amp; especially on writes to disk !
) .It 's probably the CLOSEST thing Win32 has right now to a * NIX-style " Chroot jail " basically... @ least in effect.APKP.S. = &gt; Again : Good choice on your part though... &amp; , always NICE to meet another " coinnoiseur " of Win32 freeware/shareware apps also !
Glad this post on / .
reminded me to look if there was an update , &amp; recently ( last month ) ?
There was , so I went " up " from version 3.30 to 3.42 , which is usually always good !
apk</tokentext>
<sentencetext>"sandboxie... Great program, will NOT work on a 64 bit OS.
IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it.
Click on everything, it's all sandboxed.
" - by Lumpy (12016) on Wednesday January 06, @03:32PM (#30674480) HomepagePer my subject-line above Lumpy, again: GOOD CHOICE!http://tech.slashdot.org/comments.pl?sid=1500360&amp;cid=30676292 [slashdot.org]Albeit, I extolled what I am PRETTY SURE is the "mechanics" of HOW it works, which is via a FILTERING DRIVER (and that's WHY it won't work on 64-bit OS, because it doesn't have a 64-bit driver ported for it... not yet @ least, but, I am sure it will one day!
).I use it myself, albeit, on a TRUE SSD (so its F A S T on writes too, because of how it works?
It helps... less latency, &amp; especially on writes to disk!
).It's probably the CLOSEST thing Win32 has right now to a *NIX-style "Chroot jail" basically... @ least in effect.APKP.S.=&gt; Again: Good choice on your part though... &amp;, always NICE to meet another "coinnoiseur" of Win32 freeware/shareware apps also!
Glad this post on /.
reminded me to look if there was an update, &amp; recently (last month)?
There was, so I went "up" from version 3.30 to 3.42, which is usually always good!
apk
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676916</id>
	<title>DNF and Linux</title>
	<author>Gothmolly</author>
	<datestamp>1262782320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Can I sandbox DNF on my I-Opener running Linux ?</p></htmltext>
<tokenext>Can I sandbox DNF on my I-Opener running Linux ?</tokentext>
<sentencetext>Can I sandbox DNF on my I-Opener running Linux ?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676862</id>
	<title>Re:Windows 7</title>
	<author>Mr. Freeman</author>
	<datestamp>1262781960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>That's not a bug, it's a security feature.  At least, that's how we'll market it.</htmltext>
<tokenext>That 's not a bug , it 's a security feature .
At least , that 's how we 'll market it .</tokentext>
<sentencetext>That's not a bug, it's a security feature.
At least, that's how we'll market it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674452</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675780</id>
	<title>Been There Done That.</title>
	<author>thatkid\_2002</author>
	<datestamp>1262776320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>There is plenty of sandboxing technology out there, but few are willing to use it. <br>
I had some discussions on the Haiku OS forums about using some type of application virtualisation or sandboxing as a way to take care of OS level security. Links to these are <a href="http://www.haiku-os.org/community/forum/sandbox\_securitymulti\_user\_idea" title="haiku-os.org" rel="nofollow">Here...</a> [haiku-os.org] and <a href="http://www.haiku-os.org/community/forum/haiku\_security" title="haiku-os.org" rel="nofollow">Here.</a> [haiku-os.org]
<br>
There is many ways to skin a cat, but its almost impossible to find the "best" way when you are trying to balance security and user experience.</htmltext>
<tokenext>There is plenty of sandboxing technology out there , but few are willing to use it .
I had some discussions on the Haiku OS forums about using some type of application virtualisation or sandboxing as a way to take care of OS level security .
Links to these are Here... [ haiku-os.org ] and Here .
[ haiku-os.org ] There is many ways to skin a cat , but its almost impossible to find the " best " way when you are trying to balance security and user experience .</tokentext>
<sentencetext>There is plenty of sandboxing technology out there, but few are willing to use it.
I had some discussions on the Haiku OS forums about using some type of application virtualisation or sandboxing as a way to take care of OS level security.
Links to these are Here... [haiku-os.org] and Here.
[haiku-os.org]

There is many ways to skin a cat, but its almost impossible to find the "best" way when you are trying to balance security and user experience.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678694</id>
	<title>Hear hear - an idea whose time has come</title>
	<author>WinstonWolfIT</author>
	<datestamp>1262795820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>When a prediction spurs on nothing but agreement in<nobr> <wbr></nobr>/. on how to implement it, you know it's bound to happen.</htmltext>
<tokenext>When a prediction spurs on nothing but agreement in / .
on how to implement it , you know it 's bound to happen .</tokentext>
<sentencetext>When a prediction spurs on nothing but agreement in /.
on how to implement it, you know it's bound to happen.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678494</id>
	<title>The Thin Line Between "Victim" and "Idiot"</title>
	<author>Anonymous</author>
	<datestamp>1262794260000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>May I point you to: <a href="http://linuxgazette.net/170/starks.html" title="linuxgazette.net" rel="nofollow"> The Thin Line Between 'Victim' and 'Idiot' </a> [linuxgazette.net] and <a href="http://lwn.net/Articles/368690/" title="lwn.net" rel="nofollow">The isolate utility</a> [lwn.net]</p><p>And also a shoutout to lwn.net from whom I've been stealing much information for my Slashdot submissions and not giving them appropriate credit.</p></htmltext>
<tokenext>May I point you to : The Thin Line Between 'Victim ' and 'Idiot ' [ linuxgazette.net ] and The isolate utility [ lwn.net ] And also a shoutout to lwn.net from whom I 've been stealing much information for my Slashdot submissions and not giving them appropriate credit .</tokentext>
<sentencetext>May I point you to:  The Thin Line Between 'Victim' and 'Idiot'  [linuxgazette.net] and The isolate utility [lwn.net]And also a shoutout to lwn.net from whom I've been stealing much information for my Slashdot submissions and not giving them appropriate credit.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675978</id>
	<title>Frist p5ot</title>
	<author>Anonymous</author>
	<datestamp>1262777160000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>-1</modscore>
	<htmltext>people playing can 1t transforms into</htmltext>
<tokenext>people playing can 1t transforms into</tokentext>
<sentencetext>people playing can 1t transforms into</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</id>
	<title>Let's just stop using the browser as an OS.</title>
	<author>Anonymous</author>
	<datestamp>1262770620000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Maybe we should just stop using the goddamn browser as an operating system. It was never meant to be anything more than a way to view mainly static documents, and quickly access other linked documents.</p><p>While some interactivity is of course useful and sensible, some fools have gone off the deep end and think we should treat the browser as some sort of an application development platform.</p><p>Of course, anyone who has done real application development under a real operating system, even if it is just Windows, knows how poorly the browser is as such a platform. It's clear that everything, from JavaScript to AJAX to Flash, has been tacked on as a shitty afterthought.</p><p>The answer isn't sandboxing. The answer is that we need to go back to using the browser as just a browser, and nothing else. And any real applications that demand network connectivity should be written as such, and run outside of the browser.</p></htmltext>
<tokenext>Maybe we should just stop using the goddamn browser as an operating system .
It was never meant to be anything more than a way to view mainly static documents , and quickly access other linked documents.While some interactivity is of course useful and sensible , some fools have gone off the deep end and think we should treat the browser as some sort of an application development platform.Of course , anyone who has done real application development under a real operating system , even if it is just Windows , knows how poorly the browser is as such a platform .
It 's clear that everything , from JavaScript to AJAX to Flash , has been tacked on as a shitty afterthought.The answer is n't sandboxing .
The answer is that we need to go back to using the browser as just a browser , and nothing else .
And any real applications that demand network connectivity should be written as such , and run outside of the browser .</tokentext>
<sentencetext>Maybe we should just stop using the goddamn browser as an operating system.
It was never meant to be anything more than a way to view mainly static documents, and quickly access other linked documents.While some interactivity is of course useful and sensible, some fools have gone off the deep end and think we should treat the browser as some sort of an application development platform.Of course, anyone who has done real application development under a real operating system, even if it is just Windows, knows how poorly the browser is as such a platform.
It's clear that everything, from JavaScript to AJAX to Flash, has been tacked on as a shitty afterthought.The answer isn't sandboxing.
The answer is that we need to go back to using the browser as just a browser, and nothing else.
And any real applications that demand network connectivity should be written as such, and run outside of the browser.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674988</id>
	<title>you mean like an operating system is supposed to?</title>
	<author>Anonymous</author>
	<datestamp>1262772900000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext>really? sandboxing desktop apps?  Look at what one of the design goals of any real OS is and providing security, memory protection( from other apps and OS space ), indirect access to hardware, and smooth multitasking between apps and OS are right up there near the top. Memory protection is WAY up there near the top unless you're looking at special purpose realtime applications or micro-controller apps.  Now what we are seeing on Windows is yet another layer in an attempt to fix a bad design and one which will continue to slow down the system while pushing the hardware. It's great if you are out to sell more expensive hardware and you don't want lower end( cheaper priced ) hardware to run your software. You know, like how Vista ran so good on netbooks and how Windows 7 is better than Vista at that but still worst than Windows XP.<br><br>Sandboxing is basically what virtual machines like VMWare, VirtualBox, KVM, VirtualPC all do. Off of Windows, it gives users a way to run Windows without rebooting their main OS. On Windows, it gives businesses a way to keep one crashing Windows server from taking down the other servers and in the desktop it lets users boot Linux without rebooting Windows. But for app protection? That's what the OS is supposed to be doing.<br><br>LoB</htmltext>
<tokenext>really ?
sandboxing desktop apps ?
Look at what one of the design goals of any real OS is and providing security , memory protection ( from other apps and OS space ) , indirect access to hardware , and smooth multitasking between apps and OS are right up there near the top .
Memory protection is WAY up there near the top unless you 're looking at special purpose realtime applications or micro-controller apps .
Now what we are seeing on Windows is yet another layer in an attempt to fix a bad design and one which will continue to slow down the system while pushing the hardware .
It 's great if you are out to sell more expensive hardware and you do n't want lower end ( cheaper priced ) hardware to run your software .
You know , like how Vista ran so good on netbooks and how Windows 7 is better than Vista at that but still worst than Windows XP.Sandboxing is basically what virtual machines like VMWare , VirtualBox , KVM , VirtualPC all do .
Off of Windows , it gives users a way to run Windows without rebooting their main OS .
On Windows , it gives businesses a way to keep one crashing Windows server from taking down the other servers and in the desktop it lets users boot Linux without rebooting Windows .
But for app protection ?
That 's what the OS is supposed to be doing.LoB</tokentext>
<sentencetext>really?
sandboxing desktop apps?
Look at what one of the design goals of any real OS is and providing security, memory protection( from other apps and OS space ), indirect access to hardware, and smooth multitasking between apps and OS are right up there near the top.
Memory protection is WAY up there near the top unless you're looking at special purpose realtime applications or micro-controller apps.
Now what we are seeing on Windows is yet another layer in an attempt to fix a bad design and one which will continue to slow down the system while pushing the hardware.
It's great if you are out to sell more expensive hardware and you don't want lower end( cheaper priced ) hardware to run your software.
You know, like how Vista ran so good on netbooks and how Windows 7 is better than Vista at that but still worst than Windows XP.Sandboxing is basically what virtual machines like VMWare, VirtualBox, KVM, VirtualPC all do.
Off of Windows, it gives users a way to run Windows without rebooting their main OS.
On Windows, it gives businesses a way to keep one crashing Windows server from taking down the other servers and in the desktop it lets users boot Linux without rebooting Windows.
But for app protection?
That's what the OS is supposed to be doing.LoB</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432</id>
	<title>A wish, not a prediction</title>
	<author>truthsearch</author>
	<datestamp>1262770080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This is much more of a wish, not a prediction.  Microsoft has only barely just started to offer sandboxing.  It's also not common practice by other desktop application developers.</p></htmltext>
<tokenext>This is much more of a wish , not a prediction .
Microsoft has only barely just started to offer sandboxing .
It 's also not common practice by other desktop application developers .</tokentext>
<sentencetext>This is much more of a wish, not a prediction.
Microsoft has only barely just started to offer sandboxing.
It's also not common practice by other desktop application developers.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675154</id>
	<title>Bill Gates isn't CEO any more</title>
	<author>Anonymous</author>
	<datestamp>1262773620000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Slashdot needs to retire the Bill Gates Borg picture.</p></htmltext>
<tokenext>Slashdot needs to retire the Bill Gates Borg picture .</tokentext>
<sentencetext>Slashdot needs to retire the Bill Gates Borg picture.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674698</id>
	<title>Son of portable apps</title>
	<author>Anonymous</author>
	<datestamp>1262771460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Sounds like a good plan for the future. As far as I'm concerned, 2009 was the year for portable apps. All those useful apps we have on our thumbdrives and thinstalled. The registry and local app dirs have been virtualized and redirected to local stores in a subdirectory of the app dir. All the settings remain local to the app dir (just like the old days) and migrate with a simple copy. A full sandbox is an incremental step above this.</p><p>I suspect VMware wont be alone for long with their thinstaller. I suspect MS sees the future of app deployment being more like the portable apps we use today.</p></htmltext>
<tokenext>Sounds like a good plan for the future .
As far as I 'm concerned , 2009 was the year for portable apps .
All those useful apps we have on our thumbdrives and thinstalled .
The registry and local app dirs have been virtualized and redirected to local stores in a subdirectory of the app dir .
All the settings remain local to the app dir ( just like the old days ) and migrate with a simple copy .
A full sandbox is an incremental step above this.I suspect VMware wont be alone for long with their thinstaller .
I suspect MS sees the future of app deployment being more like the portable apps we use today .</tokentext>
<sentencetext>Sounds like a good plan for the future.
As far as I'm concerned, 2009 was the year for portable apps.
All those useful apps we have on our thumbdrives and thinstalled.
The registry and local app dirs have been virtualized and redirected to local stores in a subdirectory of the app dir.
All the settings remain local to the app dir (just like the old days) and migrate with a simple copy.
A full sandbox is an incremental step above this.I suspect VMware wont be alone for long with their thinstaller.
I suspect MS sees the future of app deployment being more like the portable apps we use today.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384</id>
	<title>Nah, it can still be done</title>
	<author>Anonymous</author>
	<datestamp>1262779500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Even in Windows.

</p><p>My home system?  Windows XP.  And I use VMware Player to access the internet.  <i>And nothing else.</i>  That's the trick.  Towards that end here's what I've done:

</p><p>Step 1.  I got a USB 2.0 10 Base T network doohickey.  Then I plugged it in to my Windows box.  It has never heard of the thing and wanted a driver.  Cool!  Step one - passed.  There is no way my main machine can use this thing to get on the net.  FWIW, if it had known how to connect to this thing I would have went and found the INF file that describes it and erase that.  For part one the main thing is to have a USB gizmo that can connect you to the internet, and make sure your machine <i>cannot use it.</i>  So for all purposes my main machine is not on the net.

</p><p>Step 2.  I load up a VMware Player machine (also XP) and disconnect the virtual network adapter, so there is no network link between it and the host machine.  Just in case the VM gets owned.  Then I have VMware transfer the USB device to the VM.  And I install the USB driver there.  And there *only*.

</p><p>Viola!  My main machine is 100\% off the net, and not able to be owned.  But I can still get on the net.  I'm *sandboxed*.  Zip up a copy of your VM and restore it every so often and Bob's your uncle.  Be sure to save off your bookmarks and email to a shared folder.  And if anything icky happens to your network VM, a full restore is just a file copy away.

</p><p>The only thing this doesn't work well for is online gaming.  You won't be able to WoW with this setup.  Well, you won't be able to do it very well.  I'd imagine the game would suck in a VM.  But since I don't play I don't worry about it much.</p></htmltext>
<tokenext>Even in Windows .
My home system ?
Windows XP .
And I use VMware Player to access the internet .
And nothing else .
That 's the trick .
Towards that end here 's what I 've done : Step 1 .
I got a USB 2.0 10 Base T network doohickey .
Then I plugged it in to my Windows box .
It has never heard of the thing and wanted a driver .
Cool ! Step one - passed .
There is no way my main machine can use this thing to get on the net .
FWIW , if it had known how to connect to this thing I would have went and found the INF file that describes it and erase that .
For part one the main thing is to have a USB gizmo that can connect you to the internet , and make sure your machine can not use it .
So for all purposes my main machine is not on the net .
Step 2 .
I load up a VMware Player machine ( also XP ) and disconnect the virtual network adapter , so there is no network link between it and the host machine .
Just in case the VM gets owned .
Then I have VMware transfer the USB device to the VM .
And I install the USB driver there .
And there * only * .
Viola ! My main machine is 100 \ % off the net , and not able to be owned .
But I can still get on the net .
I 'm * sandboxed * .
Zip up a copy of your VM and restore it every so often and Bob 's your uncle .
Be sure to save off your bookmarks and email to a shared folder .
And if anything icky happens to your network VM , a full restore is just a file copy away .
The only thing this does n't work well for is online gaming .
You wo n't be able to WoW with this setup .
Well , you wo n't be able to do it very well .
I 'd imagine the game would suck in a VM .
But since I do n't play I do n't worry about it much .</tokentext>
<sentencetext>Even in Windows.
My home system?
Windows XP.
And I use VMware Player to access the internet.
And nothing else.
That's the trick.
Towards that end here's what I've done:

Step 1.
I got a USB 2.0 10 Base T network doohickey.
Then I plugged it in to my Windows box.
It has never heard of the thing and wanted a driver.
Cool!  Step one - passed.
There is no way my main machine can use this thing to get on the net.
FWIW, if it had known how to connect to this thing I would have went and found the INF file that describes it and erase that.
For part one the main thing is to have a USB gizmo that can connect you to the internet, and make sure your machine cannot use it.
So for all purposes my main machine is not on the net.
Step 2.
I load up a VMware Player machine (also XP) and disconnect the virtual network adapter, so there is no network link between it and the host machine.
Just in case the VM gets owned.
Then I have VMware transfer the USB device to the VM.
And I install the USB driver there.
And there *only*.
Viola!  My main machine is 100\% off the net, and not able to be owned.
But I can still get on the net.
I'm *sandboxed*.
Zip up a copy of your VM and restore it every so often and Bob's your uncle.
Be sure to save off your bookmarks and email to a shared folder.
And if anything icky happens to your network VM, a full restore is just a file copy away.
The only thing this doesn't work well for is online gaming.
You won't be able to WoW with this setup.
Well, you won't be able to do it very well.
I'd imagine the game would suck in a VM.
But since I don't play I don't worry about it much.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674936</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675644</id>
	<title>2011</title>
	<author>Pebby</author>
	<datestamp>1262775780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Then, clearly, 2011 will be the year of the Sandboxed Linux Desktop.</p></htmltext>
<tokenext>Then , clearly , 2011 will be the year of the Sandboxed Linux Desktop .</tokentext>
<sentencetext>Then, clearly, 2011 will be the year of the Sandboxed Linux Desktop.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666</id>
	<title>How about reducing the surface area?</title>
	<author>argent</author>
	<datestamp>1262775840000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>Sandboxing means that once the attacker has used an input exploit to own the process, it has to perform a privilege escalation exploit to get out of the sandbox. The problem is that applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications, and generally do just about anything a regulat application has to. So the sandbox can't be very "strong".</p><p>Instead of adding a leaky sandbox, how about reducing the surface area exposed to attack in the first place? Simplify the application. Get rid of things like XPI in Firefox and ActiveX in IE. Get rid of the need for third party plugins like Java and Flash (HTML5 goes a long way here). Get rid of the ability for network apps to masquerade as local apps (there's no reason a web page should be allowed to remove the status and address bar, for example). Don't even *offer* to automatically open a file after downloading. Remove that option from the browser completely. Get rid of Acrobat and other plug-in document viewers.</p><p>Yes, this might make it less convenient for websites to "wow" the user. So what? I'd rather be safe than "wow"ed.</p></htmltext>
<tokenext>Sandboxing means that once the attacker has used an input exploit to own the process , it has to perform a privilege escalation exploit to get out of the sandbox .
The problem is that applications running in sanboxes have to be able to write files , read files , load and install plugins , execute helper applications , and generally do just about anything a regulat application has to .
So the sandbox ca n't be very " strong " .Instead of adding a leaky sandbox , how about reducing the surface area exposed to attack in the first place ?
Simplify the application .
Get rid of things like XPI in Firefox and ActiveX in IE .
Get rid of the need for third party plugins like Java and Flash ( HTML5 goes a long way here ) .
Get rid of the ability for network apps to masquerade as local apps ( there 's no reason a web page should be allowed to remove the status and address bar , for example ) .
Do n't even * offer * to automatically open a file after downloading .
Remove that option from the browser completely .
Get rid of Acrobat and other plug-in document viewers.Yes , this might make it less convenient for websites to " wow " the user .
So what ?
I 'd rather be safe than " wow " ed .</tokentext>
<sentencetext>Sandboxing means that once the attacker has used an input exploit to own the process, it has to perform a privilege escalation exploit to get out of the sandbox.
The problem is that applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications, and generally do just about anything a regulat application has to.
So the sandbox can't be very "strong".Instead of adding a leaky sandbox, how about reducing the surface area exposed to attack in the first place?
Simplify the application.
Get rid of things like XPI in Firefox and ActiveX in IE.
Get rid of the need for third party plugins like Java and Flash (HTML5 goes a long way here).
Get rid of the ability for network apps to masquerade as local apps (there's no reason a web page should be allowed to remove the status and address bar, for example).
Don't even *offer* to automatically open a file after downloading.
Remove that option from the browser completely.
Get rid of Acrobat and other plug-in document viewers.Yes, this might make it less convenient for websites to "wow" the user.
So what?
I'd rather be safe than "wow"ed.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679480</id>
	<title>Re:Nah, it can still be done</title>
	<author>tempest69</author>
	<datestamp>1262804100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>ok.  while malware blows.. That's not enough to make a system stable.  The number of times I've had "explorer.exe has stopped working" alone make me cringe. or machine locks.  This isnt one poor machine.  It pervades computers.  sandboxing is a nice step to reduce full system crashing.. but is so far from the full monty.. <p>
Storm</p></htmltext>
<tokenext>ok. while malware blows.. That 's not enough to make a system stable .
The number of times I 've had " explorer.exe has stopped working " alone make me cringe .
or machine locks .
This isnt one poor machine .
It pervades computers .
sandboxing is a nice step to reduce full system crashing.. but is so far from the full monty. . Storm</tokentext>
<sentencetext>ok.  while malware blows.. That's not enough to make a system stable.
The number of times I've had "explorer.exe has stopped working" alone make me cringe.
or machine locks.
This isnt one poor machine.
It pervades computers.
sandboxing is a nice step to reduce full system crashing.. but is so far from the full monty.. 
Storm</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679542</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>Anonymous</author>
	<datestamp>1262805120000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>As someone who has developed both client/server programs outside the browser and browser based apps, I can say you are right and wrong.    A stand alone app has a lot of advantages if you can get every single end user to install your stand alone app.    Being inherently more secure is not necessarily one of those advantages though, it just seems that way because most stand alone apps are a) not documented and b) not distributed enough to bother hacking.       If the app does become common place enough though (multiple adobe products and office both come to mind), then just as many attacks start appearing.</p><p>The part I think you are correct about though is that it would be nice to see HTML revised and expanded to cover more without resorting to flash &amp; javascript.  Of course, if that was to happen (and it maybe in progress, I dont know), we'd likely be writing HTML/javascript for IE6 for the next 10 years regardless simply because of the huge install base.</p></htmltext>
<tokenext>As someone who has developed both client/server programs outside the browser and browser based apps , I can say you are right and wrong .
A stand alone app has a lot of advantages if you can get every single end user to install your stand alone app .
Being inherently more secure is not necessarily one of those advantages though , it just seems that way because most stand alone apps are a ) not documented and b ) not distributed enough to bother hacking .
If the app does become common place enough though ( multiple adobe products and office both come to mind ) , then just as many attacks start appearing.The part I think you are correct about though is that it would be nice to see HTML revised and expanded to cover more without resorting to flash &amp; javascript .
Of course , if that was to happen ( and it maybe in progress , I dont know ) , we 'd likely be writing HTML/javascript for IE6 for the next 10 years regardless simply because of the huge install base .</tokentext>
<sentencetext>As someone who has developed both client/server programs outside the browser and browser based apps, I can say you are right and wrong.
A stand alone app has a lot of advantages if you can get every single end user to install your stand alone app.
Being inherently more secure is not necessarily one of those advantages though, it just seems that way because most stand alone apps are a) not documented and b) not distributed enough to bother hacking.
If the app does become common place enough though (multiple adobe products and office both come to mind), then just as many attacks start appearing.The part I think you are correct about though is that it would be nice to see HTML revised and expanded to cover more without resorting to flash &amp; javascript.
Of course, if that was to happen (and it maybe in progress, I dont know), we'd likely be writing HTML/javascript for IE6 for the next 10 years regardless simply because of the huge install base.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678202</id>
	<title>Re:How about reducing the surface area?</title>
	<author>jhol13</author>
	<datestamp>1262791740000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications,</p></div><p>No, they don't.</p><p>They can be made so that only way to access file system is by File Dialog (see Java Web Start / JNLP).</p></div>
	</htmltext>
<tokenext>applications running in sanboxes have to be able to write files , read files , load and install plugins , execute helper applications,No , they do n't.They can be made so that only way to access file system is by File Dialog ( see Java Web Start / JNLP ) .</tokentext>
<sentencetext>applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications,No, they don't.They can be made so that only way to access file system is by File Dialog (see Java Web Start / JNLP).
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30716020</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>snadrus</author>
	<datestamp>1263153600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>So you want to return to AOL's software-per-keyword mechanism? Or use browsers to download SonySiteViewer.exe ?</htmltext>
<tokenext>So you want to return to AOL 's software-per-keyword mechanism ?
Or use browsers to download SonySiteViewer.exe ?</tokentext>
<sentencetext>So you want to return to AOL's software-per-keyword mechanism?
Or use browsers to download SonySiteViewer.exe ?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675040</id>
	<title>Re:Already here. It's on my family PC..</title>
	<author>Jason Levine</author>
	<datestamp>1262773140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I use that too.  Program I'm not sure about?  Run it in SandboxIE and delete the Sandbox when I'm done.  Website that might impact my security?  Run it while my browser is under SandboxIE so I'm safe from viral threats.</p></htmltext>
<tokenext>I use that too .
Program I 'm not sure about ?
Run it in SandboxIE and delete the Sandbox when I 'm done .
Website that might impact my security ?
Run it while my browser is under SandboxIE so I 'm safe from viral threats .</tokentext>
<sentencetext>I use that too.
Program I'm not sure about?
Run it in SandboxIE and delete the Sandbox when I'm done.
Website that might impact my security?
Run it while my browser is under SandboxIE so I'm safe from viral threats.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674516</id>
	<title>Beats waiting on lower computer prices...</title>
	<author>ibsteve2u</author>
	<datestamp>1262770500000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>0</modscore>
	<htmltext><p>About time...I was getting the impression that the solution was going to be $20 netbooks...use one to browse the web, it gets contaminated, and you throw it away and get a new one.  Not very efficient, resource-wise.</p></htmltext>
<tokenext>About time...I was getting the impression that the solution was going to be $ 20 netbooks...use one to browse the web , it gets contaminated , and you throw it away and get a new one .
Not very efficient , resource-wise .</tokentext>
<sentencetext>About time...I was getting the impression that the solution was going to be $20 netbooks...use one to browse the web, it gets contaminated, and you throw it away and get a new one.
Not very efficient, resource-wise.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675212</id>
	<title>Umm... actually...</title>
	<author>yttrstein</author>
	<datestamp>1262773920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Security did used to be very much about SYN packets and not much else.  Hi, I used to build ISPs in the early 90s.</htmltext>
<tokenext>Security did used to be very much about SYN packets and not much else .
Hi , I used to build ISPs in the early 90s .</tokentext>
<sentencetext>Security did used to be very much about SYN packets and not much else.
Hi, I used to build ISPs in the early 90s.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679282</id>
	<title>Re:How about reducing the surface area?</title>
	<author>tepples</author>
	<datestamp>1262801940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Get rid of the need for third party plugins like Java and Flash (HTML5 goes a long way here).</p></div><p>A long way, but not all the way. Java is statically typed, and fast ways of running statically typed bytecode are better understood. This makes it possible to run an NES emulator in Java with much higher frame rate than an equivalent emulator in a fully dynamic language like JavaScript.</p><p><div class="quote"><p>Don't even *offer* to automatically open a file after downloading.</p></div><p>Not even an HTML file?</p></div>
	</htmltext>
<tokenext>Get rid of the need for third party plugins like Java and Flash ( HTML5 goes a long way here ) .A long way , but not all the way .
Java is statically typed , and fast ways of running statically typed bytecode are better understood .
This makes it possible to run an NES emulator in Java with much higher frame rate than an equivalent emulator in a fully dynamic language like JavaScript.Do n't even * offer * to automatically open a file after downloading.Not even an HTML file ?</tokentext>
<sentencetext>Get rid of the need for third party plugins like Java and Flash (HTML5 goes a long way here).A long way, but not all the way.
Java is statically typed, and fast ways of running statically typed bytecode are better understood.
This makes it possible to run an NES emulator in Java with much higher frame rate than an equivalent emulator in a fully dynamic language like JavaScript.Don't even *offer* to automatically open a file after downloading.Not even an HTML file?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676766</id>
	<title>Re:Already here. It's on my family PC..</title>
	<author>Anonymous</author>
	<datestamp>1262781300000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Why not just create a highly restricted user account and setup the IE icon to launch as that user?  Pretty simple and very fast (no performance hit at all).  Deny write and delete access to all drives, deny write access to the registry, remove all privileges... that should do it.</htmltext>
<tokenext>Why not just create a highly restricted user account and setup the IE icon to launch as that user ?
Pretty simple and very fast ( no performance hit at all ) .
Deny write and delete access to all drives , deny write access to the registry , remove all privileges... that should do it .</tokentext>
<sentencetext>Why not just create a highly restricted user account and setup the IE icon to launch as that user?
Pretty simple and very fast (no performance hit at all).
Deny write and delete access to all drives, deny write access to the registry, remove all privileges... that should do it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675544</id>
	<title>You still want sandboxing</title>
	<author>Sloppy</author>
	<datestamp>1262775360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>The answer isn't sandboxing.</p></div></blockquote><p>Yes it is, because even if the browser <em>didn't</em> have everything but the kitchen sink in it, it could still (for example) have a buffer overflow bug in an image decode library.  When that bug gets triggered, you want that process to be "nobody."</p></div>
	</htmltext>
<tokenext>The answer is n't sandboxing.Yes it is , because even if the browser did n't have everything but the kitchen sink in it , it could still ( for example ) have a buffer overflow bug in an image decode library .
When that bug gets triggered , you want that process to be " nobody .
"</tokentext>
<sentencetext>The answer isn't sandboxing.Yes it is, because even if the browser didn't have everything but the kitchen sink in it, it could still (for example) have a buffer overflow bug in an image decode library.
When that bug gets triggered, you want that process to be "nobody.
"
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675324</id>
	<title>Horse.  Barn.</title>
	<author>istartedi</author>
	<datestamp>1262774460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That horse bolted the barn a long, loooong time ago.</p></htmltext>
<tokenext>That horse bolted the barn a long , loooong time ago .</tokentext>
<sentencetext>That horse bolted the barn a long, loooong time ago.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678436</id>
	<title>Re:Wow.... Welcome to Java applets, 1995...</title>
	<author>RobertM1968</author>
	<datestamp>1262793660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Sandboxes are a tried and true idea, they work well.  It's about time</p></div><p>Ummm... didja mean "Sandboxes are a tried and true idea, they work well if Microsoft doesnt write the code"?

</p><p>Because it seems to me that it's been of no help with IE and Vista/Windows 7. Yeah, in theory, it's a great plan - and probably will work well everywhere else. But the key problem is it's ineffectiveness on Microsoft platforms/browsers - but then again, their failures keep business coming in for me. No complaints here. Forget what I said above...</p></div>
	</htmltext>
<tokenext>Sandboxes are a tried and true idea , they work well .
It 's about timeUmmm... didja mean " Sandboxes are a tried and true idea , they work well if Microsoft doesnt write the code " ?
Because it seems to me that it 's been of no help with IE and Vista/Windows 7 .
Yeah , in theory , it 's a great plan - and probably will work well everywhere else .
But the key problem is it 's ineffectiveness on Microsoft platforms/browsers - but then again , their failures keep business coming in for me .
No complaints here .
Forget what I said above.. .</tokentext>
<sentencetext>Sandboxes are a tried and true idea, they work well.
It's about timeUmmm... didja mean "Sandboxes are a tried and true idea, they work well if Microsoft doesnt write the code"?
Because it seems to me that it's been of no help with IE and Vista/Windows 7.
Yeah, in theory, it's a great plan - and probably will work well everywhere else.
But the key problem is it's ineffectiveness on Microsoft platforms/browsers - but then again, their failures keep business coming in for me.
No complaints here.
Forget what I said above...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674458</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30681814</id>
	<title>Re:How about reducing the surface area?</title>
	<author>tepples</author>
	<datestamp>1262876700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Get rid of the ability for network apps to masquerade as local apps (there's no reason a web page should be allowed to remove the status and address bar, for example).</p></div><p>I just thought of another one: When you've pushed the button to expand video to the full screen on YouTube or Hulu, do you really want a bright gray status and address bar ruining the picture's perceived contrast?</p></div>
	</htmltext>
<tokenext>Get rid of the ability for network apps to masquerade as local apps ( there 's no reason a web page should be allowed to remove the status and address bar , for example ) .I just thought of another one : When you 've pushed the button to expand video to the full screen on YouTube or Hulu , do you really want a bright gray status and address bar ruining the picture 's perceived contrast ?</tokentext>
<sentencetext>Get rid of the ability for network apps to masquerade as local apps (there's no reason a web page should be allowed to remove the status and address bar, for example).I just thought of another one: When you've pushed the button to expand video to the full screen on YouTube or Hulu, do you really want a bright gray status and address bar ruining the picture's perceived contrast?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675314</id>
	<title>Instead of validating inputs</title>
	<author>vlm</author>
	<datestamp>1262774460000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>Cool, instead of screwing up the simple task of validating inputs, we'll simply screw up the complicated task of sandboxing.  Awesomeness!</p></htmltext>
<tokenext>Cool , instead of screwing up the simple task of validating inputs , we 'll simply screw up the complicated task of sandboxing .
Awesomeness !</tokentext>
<sentencetext>Cool, instead of screwing up the simple task of validating inputs, we'll simply screw up the complicated task of sandboxing.
Awesomeness!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676814</id>
	<title>Re:Nah, it can still be done</title>
	<author>lgw</author>
	<datestamp>1262781660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>There are proven VMware breakout exploits.  You've merely forced the malware to use somehting other than the network to escape.  Not a practical risk today, but it's only a matter of time, unless we re-invent "trusted computing" with 100\% less evil, and encrypt the host resources (especially memory, including CPU cache) at the hardware level.</p></htmltext>
<tokenext>There are proven VMware breakout exploits .
You 've merely forced the malware to use somehting other than the network to escape .
Not a practical risk today , but it 's only a matter of time , unless we re-invent " trusted computing " with 100 \ % less evil , and encrypt the host resources ( especially memory , including CPU cache ) at the hardware level .</tokentext>
<sentencetext>There are proven VMware breakout exploits.
You've merely forced the malware to use somehting other than the network to escape.
Not a practical risk today, but it's only a matter of time, unless we re-invent "trusted computing" with 100\% less evil, and encrypt the host resources (especially memory, including CPU cache) at the hardware level.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674936</id>
	<title>Re:A wish, not a prediction</title>
	<author>tempest69</author>
	<datestamp>1262772660000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>Sandboxing is long overdue. It's a primitive step in the right direction, but it's needed to take the whole host of steps that can make a stable system.  There is a freakload of work that needs to be done to get past the mess that exists in current operating systems.  But instead of making a really innovative system, we keep getting more of the same: incremental improvement to the desktop system.<br>
Sandboxing is a decade late, we should be so much further by now..  dang.<p>
Storm</p></htmltext>
<tokenext>Sandboxing is long overdue .
It 's a primitive step in the right direction , but it 's needed to take the whole host of steps that can make a stable system .
There is a freakload of work that needs to be done to get past the mess that exists in current operating systems .
But instead of making a really innovative system , we keep getting more of the same : incremental improvement to the desktop system .
Sandboxing is a decade late , we should be so much further by now.. dang . Storm</tokentext>
<sentencetext>Sandboxing is long overdue.
It's a primitive step in the right direction, but it's needed to take the whole host of steps that can make a stable system.
There is a freakload of work that needs to be done to get past the mess that exists in current operating systems.
But instead of making a really innovative system, we keep getting more of the same: incremental improvement to the desktop system.
Sandboxing is a decade late, we should be so much further by now..  dang.
Storm</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</id>
	<title>Already here.  It's on my family PC..</title>
	<author>Anonymous</author>
	<datestamp>1262770320000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>sandboxie...  Great program, will NOT work on a 64 bit OS.</p><p>IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it.   Click on everything, it's all sandboxed.</p></htmltext>
<tokenext>sandboxie... Great program , will NOT work on a 64 bit OS.IT has kept my Daughter 's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it .
Click on everything , it 's all sandboxed .</tokentext>
<sentencetext>sandboxie...  Great program, will NOT work on a 64 bit OS.IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it.
Click on everything, it's all sandboxed.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675394</id>
	<title>Re:And the year of..</title>
	<author>Anonymous</author>
	<datestamp>1262774820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>And?  IE8 is certainly not the standard of good programming, anywhere, even in Microsoft.</p><p>Why not Chrome?  That sandboxes and is speedy as a photon on steroids.<br>Even WITH extensions, it is still incredibly fast.<br>And i have fair amount of extensions, almost as much as i had in Firefox previously, and certainly more than i do now and Firefox is still significantly slower.  (I have 4 in the current install vs 17 in Chrome)</p><p>Sandboxing isn't slow, it is the devs that coded it horribly who made it slow.</p></htmltext>
<tokenext>And ?
IE8 is certainly not the standard of good programming , anywhere , even in Microsoft.Why not Chrome ?
That sandboxes and is speedy as a photon on steroids.Even WITH extensions , it is still incredibly fast.And i have fair amount of extensions , almost as much as i had in Firefox previously , and certainly more than i do now and Firefox is still significantly slower .
( I have 4 in the current install vs 17 in Chrome ) Sandboxing is n't slow , it is the devs that coded it horribly who made it slow .</tokentext>
<sentencetext>And?
IE8 is certainly not the standard of good programming, anywhere, even in Microsoft.Why not Chrome?
That sandboxes and is speedy as a photon on steroids.Even WITH extensions, it is still incredibly fast.And i have fair amount of extensions, almost as much as i had in Firefox previously, and certainly more than i do now and Firefox is still significantly slower.
(I have 4 in the current install vs 17 in Chrome)Sandboxing isn't slow, it is the devs that coded it horribly who made it slow.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677448</id>
	<title>Capability based operating systems</title>
	<author>Anonymous</author>
	<datestamp>1262785920000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The whole sandbox idea is utterly broken on all mainstream OS's that I know of as there is no fine grain capabilities that are even remotely close to what a capability based operating system can do. This includes the security circus that is Linux.</p></htmltext>
<tokenext>The whole sandbox idea is utterly broken on all mainstream OS 's that I know of as there is no fine grain capabilities that are even remotely close to what a capability based operating system can do .
This includes the security circus that is Linux .</tokentext>
<sentencetext>The whole sandbox idea is utterly broken on all mainstream OS's that I know of as there is no fine grain capabilities that are even remotely close to what a capability based operating system can do.
This includes the security circus that is Linux.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675002</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>MobileTatsu-NJG</author>
	<datestamp>1262772960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If you stopped and asked <i>why</i> those 'fools' would want to accomplish a task in a browser, you'd realize why 'writing apps that run outside of the browser' isn't the ideal situation.</p></htmltext>
<tokenext>If you stopped and asked why those 'fools ' would want to accomplish a task in a browser , you 'd realize why 'writing apps that run outside of the browser ' is n't the ideal situation .</tokentext>
<sentencetext>If you stopped and asked why those 'fools' would want to accomplish a task in a browser, you'd realize why 'writing apps that run outside of the browser' isn't the ideal situation.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674452</id>
	<title>Windows 7</title>
	<author>gbjbaanb</author>
	<datestamp>1262770200000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext><p>Great, I just upgraded from XP to Windows 7 and now all my apps have to be run in XP Mode's virtual machines. Thanks Microsoft.<nobr> <wbr></nobr>:)</p></htmltext>
<tokenext>Great , I just upgraded from XP to Windows 7 and now all my apps have to be run in XP Mode 's virtual machines .
Thanks Microsoft .
: )</tokentext>
<sentencetext>Great, I just upgraded from XP to Windows 7 and now all my apps have to be run in XP Mode's virtual machines.
Thanks Microsoft.
:)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675444</id>
	<title>Re:Already here. It's on my family PC..</title>
	<author>tunapez</author>
	<datestamp>1262775060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Been using SandboxIE for 3 years now. Highly recommended utility.<br>Right-click <i>any</i> program and run it sandboxed.</p><p>Additionally, useful for testing captured malware. In a VM is recommended, never know if/how/when it may be subverted.</p></htmltext>
<tokenext>Been using SandboxIE for 3 years now .
Highly recommended utility.Right-click any program and run it sandboxed.Additionally , useful for testing captured malware .
In a VM is recommended , never know if/how/when it may be subverted .</tokentext>
<sentencetext>Been using SandboxIE for 3 years now.
Highly recommended utility.Right-click any program and run it sandboxed.Additionally, useful for testing captured malware.
In a VM is recommended, never know if/how/when it may be subverted.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678112</id>
	<title>Re:requires sophistication &amp; motivation; not o</title>
	<author>jhol13</author>
	<datestamp>1262790900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>user understand something about the sandbox</p></div><p>Why? The user has no clue about ssh privilege separation and still it works extremely well.</p><p><div class="quote"><p>user go through various hassles because of the sandbox</p></div><p>I agree Microsoft nor Linux can do it well, but just perhaps Apple might be able to do it seamless.</p><p><div class="quote"><p>A flash game has to be a Turing-complete program.</p></div><p>Turing complete does not mean "must have access to whole system".<br>Actually it means nothing in this context (there exist exactly zero Turing complete systems in the "real world"). AFAIK a PDF can take "long enough" to print that it makes no difference whether it is ever going to halt or not.</p></div>
	</htmltext>
<tokenext>user understand something about the sandboxWhy ?
The user has no clue about ssh privilege separation and still it works extremely well.user go through various hassles because of the sandboxI agree Microsoft nor Linux can do it well , but just perhaps Apple might be able to do it seamless.A flash game has to be a Turing-complete program.Turing complete does not mean " must have access to whole system " .Actually it means nothing in this context ( there exist exactly zero Turing complete systems in the " real world " ) .
AFAIK a PDF can take " long enough " to print that it makes no difference whether it is ever going to halt or not .</tokentext>
<sentencetext>user understand something about the sandboxWhy?
The user has no clue about ssh privilege separation and still it works extremely well.user go through various hassles because of the sandboxI agree Microsoft nor Linux can do it well, but just perhaps Apple might be able to do it seamless.A flash game has to be a Turing-complete program.Turing complete does not mean "must have access to whole system".Actually it means nothing in this context (there exist exactly zero Turing complete systems in the "real world").
AFAIK a PDF can take "long enough" to print that it makes no difference whether it is ever going to halt or not.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674594</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675510</id>
	<title>Re:you mean like an operating system is supposed t</title>
	<author>jpmorgan</author>
	<datestamp>1262775240000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>This isn't a Windows specific problem. The fundamental problem is the user/process model that's been popular since the inception of UNIX (maybe even earlier, I don't know enough about Multics to say): the idea that only users have identities and programs run under the identity (and permissions) of the user who runs it. If I'm running a game, there's no reason why it needs access to my tax spreadsheets, etc...</p><p>All software should be running under its own identity and access to user documents should be through standardized user interfaces... i.e., the 'File Open' dialog is actually a part of the OS not the application, and also grants temporary permissions in addition to just selecting a file.</p><p>We talk about the principle of 'least privilege' but in practice (with a few notable exceptions) the 'low-privilege' processes have the most important privileges of all: access to all our stuff.</p></htmltext>
<tokenext>This is n't a Windows specific problem .
The fundamental problem is the user/process model that 's been popular since the inception of UNIX ( maybe even earlier , I do n't know enough about Multics to say ) : the idea that only users have identities and programs run under the identity ( and permissions ) of the user who runs it .
If I 'm running a game , there 's no reason why it needs access to my tax spreadsheets , etc...All software should be running under its own identity and access to user documents should be through standardized user interfaces.. .
i.e. , the 'File Open ' dialog is actually a part of the OS not the application , and also grants temporary permissions in addition to just selecting a file.We talk about the principle of 'least privilege ' but in practice ( with a few notable exceptions ) the 'low-privilege ' processes have the most important privileges of all : access to all our stuff .</tokentext>
<sentencetext>This isn't a Windows specific problem.
The fundamental problem is the user/process model that's been popular since the inception of UNIX (maybe even earlier, I don't know enough about Multics to say): the idea that only users have identities and programs run under the identity (and permissions) of the user who runs it.
If I'm running a game, there's no reason why it needs access to my tax spreadsheets, etc...All software should be running under its own identity and access to user documents should be through standardized user interfaces...
i.e., the 'File Open' dialog is actually a part of the OS not the application, and also grants temporary permissions in addition to just selecting a file.We talk about the principle of 'least privilege' but in practice (with a few notable exceptions) the 'low-privilege' processes have the most important privileges of all: access to all our stuff.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674988</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676292</id>
	<title>Ever heard of an app called "SandBoxie"?</title>
	<author>Anonymous</author>
	<datestamp>1262778840000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Per my subject-line above?</p><p><a href="http://www.sandboxie.com/" title="sandboxie.com" rel="nofollow">http://www.sandboxie.com/</a> [sandboxie.com]</p><p>Now, from what I understand as to EXACTLY what it does &amp; how it works? Well, what it does, is use a FILTERING DRIVER to "intercept" interrupts that send calls to the OS &amp; filesystem to do writes to your local Hard Disk Drives, creating a 'virtual HDD' (really a set of folders, wherever YOU choose to place them also, mind you)</p><p>Foor that?? Well - I use a solid-state drive called a GIGABYTE IRAM to do this, less latency this way (because unfortunately, this DOES add somewhat of a speed-hit to things if you use a std. mechanical HDD, even IF it's say, a 10,000rpm 16mb buffered WD Velociraptor)</p><p>That's "sandboxing", in a nutshell, WITHOUT the use of a VM...</p><p>(Folks MOSTLY tend to use it for internet surfing with a LOT more safety, &amp; today/nowadays what with javascript exploits &amp; such being foisted on us potentially @ least? Makes sense... but, it's NOT just restricted to webbrowsers either, so you all know this "up front", and, it works pretty well!)</p><p>APK</p><p>P.S.=&gt; I suppose that *NIX folks MIGHT call it analogous to a chroot jail, but... well, there you are: Basically a GUI model of chroot, albeit for Windows rigs! apk</p></htmltext>
<tokenext>Per my subject-line above ? http : //www.sandboxie.com/ [ sandboxie.com ] Now , from what I understand as to EXACTLY what it does &amp; how it works ?
Well , what it does , is use a FILTERING DRIVER to " intercept " interrupts that send calls to the OS &amp; filesystem to do writes to your local Hard Disk Drives , creating a 'virtual HDD ' ( really a set of folders , wherever YOU choose to place them also , mind you ) Foor that ? ?
Well - I use a solid-state drive called a GIGABYTE IRAM to do this , less latency this way ( because unfortunately , this DOES add somewhat of a speed-hit to things if you use a std .
mechanical HDD , even IF it 's say , a 10,000rpm 16mb buffered WD Velociraptor ) That 's " sandboxing " , in a nutshell , WITHOUT the use of a VM... ( Folks MOSTLY tend to use it for internet surfing with a LOT more safety , &amp; today/nowadays what with javascript exploits &amp; such being foisted on us potentially @ least ?
Makes sense... but , it 's NOT just restricted to webbrowsers either , so you all know this " up front " , and , it works pretty well !
) APKP.S. = &gt; I suppose that * NIX folks MIGHT call it analogous to a chroot jail , but... well , there you are : Basically a GUI model of chroot , albeit for Windows rigs !
apk</tokentext>
<sentencetext>Per my subject-line above?http://www.sandboxie.com/ [sandboxie.com]Now, from what I understand as to EXACTLY what it does &amp; how it works?
Well, what it does, is use a FILTERING DRIVER to "intercept" interrupts that send calls to the OS &amp; filesystem to do writes to your local Hard Disk Drives, creating a 'virtual HDD' (really a set of folders, wherever YOU choose to place them also, mind you)Foor that??
Well - I use a solid-state drive called a GIGABYTE IRAM to do this, less latency this way (because unfortunately, this DOES add somewhat of a speed-hit to things if you use a std.
mechanical HDD, even IF it's say, a 10,000rpm 16mb buffered WD Velociraptor)That's "sandboxing", in a nutshell, WITHOUT the use of a VM...(Folks MOSTLY tend to use it for internet surfing with a LOT more safety, &amp; today/nowadays what with javascript exploits &amp; such being foisted on us potentially @ least?
Makes sense... but, it's NOT just restricted to webbrowsers either, so you all know this "up front", and, it works pretty well!
)APKP.S.=&gt; I suppose that *NIX folks MIGHT call it analogous to a chroot jail, but... well, there you are: Basically a GUI model of chroot, albeit for Windows rigs!
apk</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674820</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676462</id>
	<title>standard on Ubuntu</title>
	<author>pydev</author>
	<datestamp>1262779980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Well, it's nice if Microsoft and Apple get their desktops upgraded, but AppArmor is standard on Ubuntu and has rules for common desktop apps in place.</p></htmltext>
<tokenext>Well , it 's nice if Microsoft and Apple get their desktops upgraded , but AppArmor is standard on Ubuntu and has rules for common desktop apps in place .</tokentext>
<sentencetext>Well, it's nice if Microsoft and Apple get their desktops upgraded, but AppArmor is standard on Ubuntu and has rules for common desktop apps in place.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677874</id>
	<title>Re:you mean like an operating system is supposed t</title>
	<author>jonaskoelker</author>
	<datestamp>1262788980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>We talk about the principle of 'least privilege' but in practice (with a few notable exceptions) the 'low-privilege' processes have the most important privileges of all: access to all our stuff.</p></div><p>What are you talking about?  None of my users---whom I've made the embodiment of "least privilege"---have access to any of <em>my</em> stuff...</p><p>-- your friendly neighbourhood BOFH</p></div>
	</htmltext>
<tokenext>We talk about the principle of 'least privilege ' but in practice ( with a few notable exceptions ) the 'low-privilege ' processes have the most important privileges of all : access to all our stuff.What are you talking about ?
None of my users---whom I 've made the embodiment of " least privilege " ---have access to any of my stuff...-- your friendly neighbourhood BOFH</tokentext>
<sentencetext>We talk about the principle of 'least privilege' but in practice (with a few notable exceptions) the 'low-privilege' processes have the most important privileges of all: access to all our stuff.What are you talking about?
None of my users---whom I've made the embodiment of "least privilege"---have access to any of my stuff...-- your friendly neighbourhood BOFH
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675510</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676648</id>
	<title>Re:And the year of..</title>
	<author>neokushan</author>
	<datestamp>1262780760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And who's going to pay to have all these signed apps run?</p><p>That scenario ends up going one of two ways:</p><p>1) THe signing process is made free and becomes self-signed (Think Android), which completely negates the whole point of it as anyone can sign anything.</p><p>2) The signing process costs money, no company will do it for free so in order to get your app signed, you need to pay. This isn't cheap, often 3-digit territory and only really feasible for fairly large companies. Indie developers are screwed. Open source software is screwed. Freeware is screwed. Say goodbye to Media player classic, FFDSHOW, VLC, Firefox, Opera, Chrome, CCleaner, Spybot, AVG (The free version, anyway) and anything else that you've been given for free. It's all gone, or at the very least, such a hassle to run (hurrah for installing unsigned certs every day!) that people just disable the whole thing entirely, bringing you back to square one.<br>Signing does not work.</p></htmltext>
<tokenext>And who 's going to pay to have all these signed apps run ? That scenario ends up going one of two ways : 1 ) THe signing process is made free and becomes self-signed ( Think Android ) , which completely negates the whole point of it as anyone can sign anything.2 ) The signing process costs money , no company will do it for free so in order to get your app signed , you need to pay .
This is n't cheap , often 3-digit territory and only really feasible for fairly large companies .
Indie developers are screwed .
Open source software is screwed .
Freeware is screwed .
Say goodbye to Media player classic , FFDSHOW , VLC , Firefox , Opera , Chrome , CCleaner , Spybot , AVG ( The free version , anyway ) and anything else that you 've been given for free .
It 's all gone , or at the very least , such a hassle to run ( hurrah for installing unsigned certs every day !
) that people just disable the whole thing entirely , bringing you back to square one.Signing does not work .</tokentext>
<sentencetext>And who's going to pay to have all these signed apps run?That scenario ends up going one of two ways:1) THe signing process is made free and becomes self-signed (Think Android), which completely negates the whole point of it as anyone can sign anything.2) The signing process costs money, no company will do it for free so in order to get your app signed, you need to pay.
This isn't cheap, often 3-digit territory and only really feasible for fairly large companies.
Indie developers are screwed.
Open source software is screwed.
Freeware is screwed.
Say goodbye to Media player classic, FFDSHOW, VLC, Firefox, Opera, Chrome, CCleaner, Spybot, AVG (The free version, anyway) and anything else that you've been given for free.
It's all gone, or at the very least, such a hassle to run (hurrah for installing unsigned certs every day!
) that people just disable the whole thing entirely, bringing you back to square one.Signing does not work.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675950</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675930</id>
	<title>Re:Wow.... Welcome to Java applets, 1995...</title>
	<author>Anonymous</author>
	<datestamp>1262776980000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Sandboxes usually get filled with cat scat. We'll have to see what happens with software sandboxes, but definitely the term they were taken from - playground sandboxes - sure don't stay clean.</htmltext>
<tokenext>Sandboxes usually get filled with cat scat .
We 'll have to see what happens with software sandboxes , but definitely the term they were taken from - playground sandboxes - sure do n't stay clean .</tokentext>
<sentencetext>Sandboxes usually get filled with cat scat.
We'll have to see what happens with software sandboxes, but definitely the term they were taken from - playground sandboxes - sure don't stay clean.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674458</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394</id>
	<title>And the year of..</title>
	<author>Anonymous</author>
	<datestamp>1262769960000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>.. bloat.</p><p>Just look at how slow IE8 is to use.</p></htmltext>
<tokenext>.. bloat.Just look at how slow IE8 is to use .</tokentext>
<sentencetext>.. bloat.Just look at how slow IE8 is to use.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674820</id>
	<title>So, everything will run via interpreter then?</title>
	<author>Anonymous</author>
	<datestamp>1262772240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Usually when I hear the term used, it refers to implementation of an interpreter of bytecode (java or dot net).</p><p>So, then it will just be an intrepeter layer, that removes direct access to hardware APIs?</p><p>That would seem to require more clock cycles to run, and some more RAM, and even would mean that the interpreter could be reverse-engineered so it could be ported to other platforms....</p></htmltext>
<tokenext>Usually when I hear the term used , it refers to implementation of an interpreter of bytecode ( java or dot net ) .So , then it will just be an intrepeter layer , that removes direct access to hardware APIs ? That would seem to require more clock cycles to run , and some more RAM , and even would mean that the interpreter could be reverse-engineered so it could be ported to other platforms... .</tokentext>
<sentencetext>Usually when I hear the term used, it refers to implementation of an interpreter of bytecode (java or dot net).So, then it will just be an intrepeter layer, that removes direct access to hardware APIs?That would seem to require more clock cycles to run, and some more RAM, and even would mean that the interpreter could be reverse-engineered so it could be ported to other platforms....</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675604</id>
	<title>Fundamental Problem</title>
	<author>Anonymous</author>
	<datestamp>1262775600000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>The fundamental problem is that users want their computer to do things. They want responsive rich media web applications so conventional wisdom to turn off everything but HTML rendering causes their computer to not do stuff it used to be capable of.

The second problem is that in order for computers to do things, particularly in networked environments, is that processes could be working with trusted, semi-trusted or untrusted stuff (be-it content, code, whatever, it doesn't matter for the purpose used.) When security tools attempt to figure out what ought to be trusted or not trusted and gets it wrong, you either do something unsafe or you block the user from doing what they want to do (even if you or me would consider what they want to do as foolish or downright dangerous.) When users are expected to indicate what is trusted or not trusted they generally lack the insight to know what to pick, and vendors are at peril of designing annoying software that provides little true security if users always click "yes" causing the unsafe action to happen, or prevents their computer from working as expected, if they always click "no."

Sandboxing can be effective to limit access to other application's data, but can greatly limit interoperability and requires the developer make some decisions on behalf of the user, or makes the developer ask the user how isolated the process is from other resources in a way that is meaningful and they they can understand what the consequences in either case will be if they approve (ideally at setup).</htmltext>
<tokenext>The fundamental problem is that users want their computer to do things .
They want responsive rich media web applications so conventional wisdom to turn off everything but HTML rendering causes their computer to not do stuff it used to be capable of .
The second problem is that in order for computers to do things , particularly in networked environments , is that processes could be working with trusted , semi-trusted or untrusted stuff ( be-it content , code , whatever , it does n't matter for the purpose used .
) When security tools attempt to figure out what ought to be trusted or not trusted and gets it wrong , you either do something unsafe or you block the user from doing what they want to do ( even if you or me would consider what they want to do as foolish or downright dangerous .
) When users are expected to indicate what is trusted or not trusted they generally lack the insight to know what to pick , and vendors are at peril of designing annoying software that provides little true security if users always click " yes " causing the unsafe action to happen , or prevents their computer from working as expected , if they always click " no .
" Sandboxing can be effective to limit access to other application 's data , but can greatly limit interoperability and requires the developer make some decisions on behalf of the user , or makes the developer ask the user how isolated the process is from other resources in a way that is meaningful and they they can understand what the consequences in either case will be if they approve ( ideally at setup ) .</tokentext>
<sentencetext>The fundamental problem is that users want their computer to do things.
They want responsive rich media web applications so conventional wisdom to turn off everything but HTML rendering causes their computer to not do stuff it used to be capable of.
The second problem is that in order for computers to do things, particularly in networked environments, is that processes could be working with trusted, semi-trusted or untrusted stuff (be-it content, code, whatever, it doesn't matter for the purpose used.
) When security tools attempt to figure out what ought to be trusted or not trusted and gets it wrong, you either do something unsafe or you block the user from doing what they want to do (even if you or me would consider what they want to do as foolish or downright dangerous.
) When users are expected to indicate what is trusted or not trusted they generally lack the insight to know what to pick, and vendors are at peril of designing annoying software that provides little true security if users always click "yes" causing the unsafe action to happen, or prevents their computer from working as expected, if they always click "no.
"

Sandboxing can be effective to limit access to other application's data, but can greatly limit interoperability and requires the developer make some decisions on behalf of the user, or makes the developer ask the user how isolated the process is from other resources in a way that is meaningful and they they can understand what the consequences in either case will be if they approve (ideally at setup).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678996</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>Phiu-x</author>
	<datestamp>1262798760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Its 2009. That's evolution baby!</htmltext>
<tokenext>Its 2009 .
That 's evolution baby !</tokentext>
<sentencetext>Its 2009.
That's evolution baby!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674934</id>
	<title>Yea, right. (you hold my breath for me department)</title>
	<author>Suki I</author>
	<datestamp>1262772660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>'Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one: 2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time.</p></div>
</blockquote><p>

Let us all know how that works out for you this time next year, big boy?</p></div>
	</htmltext>
<tokenext>'Instead of the usual top ten lists that are all-too-common with predictions for the new year , I have just one : 2010 will be the year of desktop applications handling untrusted data in sandboxed processes , and it will be about time .
Let us all know how that works out for you this time next year , big boy ?</tokentext>
<sentencetext>'Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one: 2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time.
Let us all know how that works out for you this time next year, big boy?
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676736</id>
	<title>Wishful thinking</title>
	<author>tsotha</author>
	<datestamp>1262781120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>At the same time some people in the industry are talking about sandboxes other people are talking about adding yet more features to the browser so we apps can compete with boxed software.  Added functionality nearly always wins over added security, so I expect we'll go into 2011 with even more avenues for Russian mobsters to lift your identity.
</p><p>Java has had a sandbox since forever, and it's virtually unused in commercial applications.  Why?  Because it's a pain in the ass to give the user everything he wants when you can't do things like connect to random URLs, use a printer, or open ports.</p></htmltext>
<tokenext>At the same time some people in the industry are talking about sandboxes other people are talking about adding yet more features to the browser so we apps can compete with boxed software .
Added functionality nearly always wins over added security , so I expect we 'll go into 2011 with even more avenues for Russian mobsters to lift your identity .
Java has had a sandbox since forever , and it 's virtually unused in commercial applications .
Why ? Because it 's a pain in the ass to give the user everything he wants when you ca n't do things like connect to random URLs , use a printer , or open ports .</tokentext>
<sentencetext>At the same time some people in the industry are talking about sandboxes other people are talking about adding yet more features to the browser so we apps can compete with boxed software.
Added functionality nearly always wins over added security, so I expect we'll go into 2011 with even more avenues for Russian mobsters to lift your identity.
Java has had a sandbox since forever, and it's virtually unused in commercial applications.
Why?  Because it's a pain in the ass to give the user everything he wants when you can't do things like connect to random URLs, use a printer, or open ports.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675092</id>
	<title>Whatcha gonna do, if the CPUs don't sell anymore..</title>
	<author>Hurricane78</author>
	<datestamp>1262773380000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>...because nearly nobody needs even more power...</p><p>Just sandbox everything, and sandbox it again, then interpret, sandbox, and interpret again. Until you can barely get the framerate of a small handheld console from 15 years ago (remember that JavaScript Tetris?)</p><p>Just don&rsquo;t feel the urge to actually write clean code. And cling to C-like languages, &rsquo;till the bitter end. Since C in a generic VM is oh-so-much faster, than Java (in its Hotspot VM) or Haskell on the bare metal...</p><p>Yay. I wonder how much I will kick the butts of others by writing clean straight-to-the-metal code without having to micromanage (C-style)...<nobr> <wbr></nobr>;)</p></htmltext>
<tokenext>...because nearly nobody needs even more power...Just sandbox everything , and sandbox it again , then interpret , sandbox , and interpret again .
Until you can barely get the framerate of a small handheld console from 15 years ago ( remember that JavaScript Tetris ?
) Just don    t feel the urge to actually write clean code .
And cling to C-like languages ,    till the bitter end .
Since C in a generic VM is oh-so-much faster , than Java ( in its Hotspot VM ) or Haskell on the bare metal...Yay .
I wonder how much I will kick the butts of others by writing clean straight-to-the-metal code without having to micromanage ( C-style ) ... ; )</tokentext>
<sentencetext>...because nearly nobody needs even more power...Just sandbox everything, and sandbox it again, then interpret, sandbox, and interpret again.
Until you can barely get the framerate of a small handheld console from 15 years ago (remember that JavaScript Tetris?
)Just don’t feel the urge to actually write clean code.
And cling to C-like languages, ’till the bitter end.
Since C in a generic VM is oh-so-much faster, than Java (in its Hotspot VM) or Haskell on the bare metal...Yay.
I wonder how much I will kick the butts of others by writing clean straight-to-the-metal code without having to micromanage (C-style)... ;)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674956</id>
	<title>Isolate</title>
	<author>gmuslera</author>
	<datestamp>1262772780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Just yesterday was reading about Isolate (<a href="http://code.google.com/p/isolate/" title="google.com">http://code.google.com/p/isolate/</a> [google.com]) that looks going to the core of the problem. You can sandbox any app, but not needing to sandbox all the desktop/OS/etc for that. So if your browser or media player, or other programs could have a risk of doing locally something you dont want, you can run it in a way that don't touch or modify anything private. in a very easy way.</htmltext>
<tokenext>Just yesterday was reading about Isolate ( http : //code.google.com/p/isolate/ [ google.com ] ) that looks going to the core of the problem .
You can sandbox any app , but not needing to sandbox all the desktop/OS/etc for that .
So if your browser or media player , or other programs could have a risk of doing locally something you dont want , you can run it in a way that do n't touch or modify anything private .
in a very easy way .</tokentext>
<sentencetext>Just yesterday was reading about Isolate (http://code.google.com/p/isolate/ [google.com]) that looks going to the core of the problem.
You can sandbox any app, but not needing to sandbox all the desktop/OS/etc for that.
So if your browser or media player, or other programs could have a risk of doing locally something you dont want, you can run it in a way that don't touch or modify anything private.
in a very easy way.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675024</id>
	<title>Awesome!</title>
	<author>InlawBiker</author>
	<datestamp>1262773080000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>I was just handed a memo from a collection of all major software and hardware vendors on Earth, saying that security will be put ahead of profits from now on!  It was delivered by a Unicorn, who got here on the gumdrop express via the rainbow highway.</p></htmltext>
<tokenext>I was just handed a memo from a collection of all major software and hardware vendors on Earth , saying that security will be put ahead of profits from now on !
It was delivered by a Unicorn , who got here on the gumdrop express via the rainbow highway .</tokentext>
<sentencetext>I was just handed a memo from a collection of all major software and hardware vendors on Earth, saying that security will be put ahead of profits from now on!
It was delivered by a Unicorn, who got here on the gumdrop express via the rainbow highway.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675224</id>
	<title>Good to see MS catching up with 1995 Java</title>
	<author>Anonymous</author>
	<datestamp>1262773980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I can hardly wait for the flurry of sandboxing<br>patents.</p></htmltext>
<tokenext>I can hardly wait for the flurry of sandboxingpatents .</tokentext>
<sentencetext>I can hardly wait for the flurry of sandboxingpatents.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674924</id>
	<title>Re:Old news?</title>
	<author>Anonymous</author>
	<datestamp>1262772600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Wasnt sandboxing the cool word about 10 years ago?</p></div><p>Actually 15 years ago, when Java came out.</p></div>
	</htmltext>
<tokenext>Wasnt sandboxing the cool word about 10 years ago ? Actually 15 years ago , when Java came out .</tokentext>
<sentencetext>Wasnt sandboxing the cool word about 10 years ago?Actually 15 years ago, when Java came out.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674662</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674594</id>
	<title>requires sophistication &amp; motivation; not opti</title>
	<author>Anonymous</author>
	<datestamp>1262770800000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>
All security problems are easy to solve if you have users who are sophisticated about security, and motivated to put up with inconveniences. The real world isn't like that.
</p><p>
A proposal like this inevitably requires that the user understand something about the sandbox, and also requires that the user go through various hassles because of the sandbox. They're going to perceive it as a hassle, because the sandbox is going to prevent them from doing things they would otherwise have done. If they're unsophisticated and unmotivated, they'll just see it as something to work around.
</p><p>
Not only that, but this isn't an optimal solution. A flash game has to be a Turing-complete program. A memo doesn't have to. The simple solution is just to stop embedding Turing-complete programming languages in file formats that don't require them. Adobe actually started by designing postscript as a Turing-complete language. That had some unfortunate consequences, since, e.g., you can't predict whether a program written in a Turing-complete language will halt, so in principle you can't predict whether a document will take forever to come out of the printer. The realized that that was a mistake, and when they designed pdf, they intentionally made it not Turing complete. Now we've come full circle, and they've added a Turing-complete language, javascript, back into pdf. That's just bad design. The solution for users is actually pretty easy: if you're using Adobe Reader, turn off javascript.
</p></htmltext>
<tokenext>All security problems are easy to solve if you have users who are sophisticated about security , and motivated to put up with inconveniences .
The real world is n't like that .
A proposal like this inevitably requires that the user understand something about the sandbox , and also requires that the user go through various hassles because of the sandbox .
They 're going to perceive it as a hassle , because the sandbox is going to prevent them from doing things they would otherwise have done .
If they 're unsophisticated and unmotivated , they 'll just see it as something to work around .
Not only that , but this is n't an optimal solution .
A flash game has to be a Turing-complete program .
A memo does n't have to .
The simple solution is just to stop embedding Turing-complete programming languages in file formats that do n't require them .
Adobe actually started by designing postscript as a Turing-complete language .
That had some unfortunate consequences , since , e.g. , you ca n't predict whether a program written in a Turing-complete language will halt , so in principle you ca n't predict whether a document will take forever to come out of the printer .
The realized that that was a mistake , and when they designed pdf , they intentionally made it not Turing complete .
Now we 've come full circle , and they 've added a Turing-complete language , javascript , back into pdf .
That 's just bad design .
The solution for users is actually pretty easy : if you 're using Adobe Reader , turn off javascript .</tokentext>
<sentencetext>
All security problems are easy to solve if you have users who are sophisticated about security, and motivated to put up with inconveniences.
The real world isn't like that.
A proposal like this inevitably requires that the user understand something about the sandbox, and also requires that the user go through various hassles because of the sandbox.
They're going to perceive it as a hassle, because the sandbox is going to prevent them from doing things they would otherwise have done.
If they're unsophisticated and unmotivated, they'll just see it as something to work around.
Not only that, but this isn't an optimal solution.
A flash game has to be a Turing-complete program.
A memo doesn't have to.
The simple solution is just to stop embedding Turing-complete programming languages in file formats that don't require them.
Adobe actually started by designing postscript as a Turing-complete language.
That had some unfortunate consequences, since, e.g., you can't predict whether a program written in a Turing-complete language will halt, so in principle you can't predict whether a document will take forever to come out of the printer.
The realized that that was a mistake, and when they designed pdf, they intentionally made it not Turing complete.
Now we've come full circle, and they've added a Turing-complete language, javascript, back into pdf.
That's just bad design.
The solution for users is actually pretty easy: if you're using Adobe Reader, turn off javascript.
</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675126</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>Locutus</author>
	<datestamp>1262773560000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>and things like ActiveX don't apply to the "been tacked on as a shitty after thought" comment? From what I've seen, Microsoft is the king of tacking things on as a shitty after thought otherwise they'd not still be known for security and reliability problems.  Rebooting  a Windows computer is still the number one recommendation for 'fixing' a broken Windows system across many IT orgs and reinstalling Windows is probably still in the top 10 things done to 'fix' the computer.<br><br>Besides, it's been Microsoft's attacking of software application vendors on their platform which has lead to so much being attempted in the browser since it isolates them so much from Microsoft. You don't hear so much of what software vendors software broke at every release of a new version of Microsoft Windows. That's because more and more business applications are fed from app servers to browsers and a minimum standard feature set must be met in the browser for it to be useful across the web and therefore IntraNet.<br><br>This has little to do with the browser being the problem, it is about the design of the Windows OS not doing it's own memory protection and letting applications run many things as admin when they should be run as the user and they should not be accessing OS or other application space memory. This is another crutch for a bad design but it'll help sell more hardware if that's what you want.<br><br>LoB</htmltext>
<tokenext>and things like ActiveX do n't apply to the " been tacked on as a shitty after thought " comment ?
From what I 've seen , Microsoft is the king of tacking things on as a shitty after thought otherwise they 'd not still be known for security and reliability problems .
Rebooting a Windows computer is still the number one recommendation for 'fixing ' a broken Windows system across many IT orgs and reinstalling Windows is probably still in the top 10 things done to 'fix ' the computer.Besides , it 's been Microsoft 's attacking of software application vendors on their platform which has lead to so much being attempted in the browser since it isolates them so much from Microsoft .
You do n't hear so much of what software vendors software broke at every release of a new version of Microsoft Windows .
That 's because more and more business applications are fed from app servers to browsers and a minimum standard feature set must be met in the browser for it to be useful across the web and therefore IntraNet.This has little to do with the browser being the problem , it is about the design of the Windows OS not doing it 's own memory protection and letting applications run many things as admin when they should be run as the user and they should not be accessing OS or other application space memory .
This is another crutch for a bad design but it 'll help sell more hardware if that 's what you want.LoB</tokentext>
<sentencetext>and things like ActiveX don't apply to the "been tacked on as a shitty after thought" comment?
From what I've seen, Microsoft is the king of tacking things on as a shitty after thought otherwise they'd not still be known for security and reliability problems.
Rebooting  a Windows computer is still the number one recommendation for 'fixing' a broken Windows system across many IT orgs and reinstalling Windows is probably still in the top 10 things done to 'fix' the computer.Besides, it's been Microsoft's attacking of software application vendors on their platform which has lead to so much being attempted in the browser since it isolates them so much from Microsoft.
You don't hear so much of what software vendors software broke at every release of a new version of Microsoft Windows.
That's because more and more business applications are fed from app servers to browsers and a minimum standard feature set must be met in the browser for it to be useful across the web and therefore IntraNet.This has little to do with the browser being the problem, it is about the design of the Windows OS not doing it's own memory protection and letting applications run many things as admin when they should be run as the user and they should not be accessing OS or other application space memory.
This is another crutch for a bad design but it'll help sell more hardware if that's what you want.LoB</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675836</id>
	<title>yo dawg</title>
	<author>edittard</author>
	<datestamp>1262776560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I herd u like sandboxing, so I put a sandbox in your sandbox so you can run in a sandbox when you're running in a sandbox.</htmltext>
<tokenext>I herd u like sandboxing , so I put a sandbox in your sandbox so you can run in a sandbox when you 're running in a sandbox .</tokentext>
<sentencetext>I herd u like sandboxing, so I put a sandbox in your sandbox so you can run in a sandbox when you're running in a sandbox.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674666</id>
	<title>Re:Already here. It's on my family PC..</title>
	<author>Anonymous</author>
	<datestamp>1262771280000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>"Windows 64-bit: Full support for 64-bit is available in recent beta versions of Sandboxie. Click here"</p><p>Looks like they are working on that.<nobr> <wbr></nobr>:)</p></htmltext>
<tokenext>" Windows 64-bit : Full support for 64-bit is available in recent beta versions of Sandboxie .
Click here " Looks like they are working on that .
: )</tokentext>
<sentencetext>"Windows 64-bit: Full support for 64-bit is available in recent beta versions of Sandboxie.
Click here"Looks like they are working on that.
:)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674642</id>
	<title>mrodZ up</title>
	<author>Anonymous</author>
	<datestamp>1262771100000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext>to pl6ace a 4aper</htmltext>
<tokenext>to pl6ace a 4aper</tokentext>
<sentencetext>to pl6ace a 4aper</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674506</id>
	<title>Re:And the year of..</title>
	<author>SnarfQuest</author>
	<datestamp>1262770440000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p>If you want to leave a lot of openings in your sandbox for malicious software to work through, you have to expect things to slow down.</p></htmltext>
<tokenext>If you want to leave a lot of openings in your sandbox for malicious software to work through , you have to expect things to slow down .</tokentext>
<sentencetext>If you want to leave a lot of openings in your sandbox for malicious software to work through, you have to expect things to slow down.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675310</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>Anonymous</author>
	<datestamp>1262774400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>In principle I agree with you, but I'm afraid the horse has already left the barn; good luck at getting it back in.</p></htmltext>
<tokenext>In principle I agree with you , but I 'm afraid the horse has already left the barn ; good luck at getting it back in .</tokentext>
<sentencetext>In principle I agree with you, but I'm afraid the horse has already left the barn; good luck at getting it back in.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674810</id>
	<title>The Year of "The Year of..."</title>
	<author>Anonymous</author>
	<datestamp>1262772180000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I predict that 2010 will be the year of the year of predictions.</p></htmltext>
<tokenext>I predict that 2010 will be the year of the year of predictions .</tokentext>
<sentencetext>I predict that 2010 will be the year of the year of predictions.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674656</id>
	<title>Re:Let's just stop using the browser as an OS.</title>
	<author>phantomfive</author>
	<datestamp>1262771220000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>The answer is that we need to go back to using the browser as just a browser, and nothing else.</p></div><p>It's never going to happen.  The browser is too useful for too many other things.  If somehow we managed to get the browser to return to being just a page viewer, someone (like Microsoft) would create an API for online applications and call it a non-browser.  In fact, this was the original idea behind<nobr> <wbr></nobr>.net, and why it is called<nobr> <wbr></nobr>.net.  Online applications AKA cloud based applications are here to stay.</p></div>
	</htmltext>
<tokenext>The answer is that we need to go back to using the browser as just a browser , and nothing else.It 's never going to happen .
The browser is too useful for too many other things .
If somehow we managed to get the browser to return to being just a page viewer , someone ( like Microsoft ) would create an API for online applications and call it a non-browser .
In fact , this was the original idea behind .net , and why it is called .net .
Online applications AKA cloud based applications are here to stay .</tokentext>
<sentencetext>The answer is that we need to go back to using the browser as just a browser, and nothing else.It's never going to happen.
The browser is too useful for too many other things.
If somehow we managed to get the browser to return to being just a page viewer, someone (like Microsoft) would create an API for online applications and call it a non-browser.
In fact, this was the original idea behind .net, and why it is called .net.
Online applications AKA cloud based applications are here to stay.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676932</id>
	<title>Re:Windows 7</title>
	<author>Anonymous</author>
	<datestamp>1262782440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You <i>Upgraded</i> from XP to Windows 7?</p></htmltext>
<tokenext>You Upgraded from XP to Windows 7 ?</tokentext>
<sentencetext>You Upgraded from XP to Windows 7?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674452</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674790</id>
	<title>Untrusted apps - like Windows?</title>
	<author>strotz</author>
	<datestamp>1262772060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Not trying to be a total troll but... I kind of like running XP in VMware as a virtual machine (especially when it is busy grinding through critical security updates and reboot cycles - while I am getting work done on the host OS)</htmltext>
<tokenext>Not trying to be a total troll but... I kind of like running XP in VMware as a virtual machine ( especially when it is busy grinding through critical security updates and reboot cycles - while I am getting work done on the host OS )</tokentext>
<sentencetext>Not trying to be a total troll but... I kind of like running XP in VMware as a virtual machine (especially when it is busy grinding through critical security updates and reboot cycles - while I am getting work done on the host OS)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678208</id>
	<title>Wait</title>
	<author>MSDos-486</author>
	<datestamp>1262791800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Can someone explain how "sandboxing" is different then what chroot does?</htmltext>
<tokenext>Can someone explain how " sandboxing " is different then what chroot does ?</tokentext>
<sentencetext>Can someone explain how "sandboxing" is different then what chroot does?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30680060</id>
	<title>Re:Nah, it can still be done</title>
	<author>CxDoo</author>
	<datestamp>1262856120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>What's the point of this setup?</p><p>Whatever you want to download and use, has to come from the VM -&gt; your security is compromised.</p><p>Or... your main machine has no access to internet. Not really a solution.</p></htmltext>
<tokenext>What 's the point of this setup ? Whatever you want to download and use , has to come from the VM - &gt; your security is compromised.Or... your main machine has no access to internet .
Not really a solution .</tokentext>
<sentencetext>What's the point of this setup?Whatever you want to download and use, has to come from the VM -&gt; your security is compromised.Or... your main machine has no access to internet.
Not really a solution.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675528</id>
	<title>Re:So, everything will run via interpreter then?</title>
	<author>Rockoon</author>
	<datestamp>1262775300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>.NET programs are also not interpreted, and in fact NEVER have been.</htmltext>
<tokenext>.NET programs are also not interpreted , and in fact NEVER have been .</tokentext>
<sentencetext>.NET programs are also not interpreted, and in fact NEVER have been.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674820</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674758</id>
	<title>Sandboxing great for Multiplayer gaming</title>
	<author>ub3r n3u7r4l1st</author>
	<datestamp>1262771820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Just the 3D acceleration is a little bit iffy.</p><p>But otherwise, one can debug VAC or Warden in a sandbox and find a way to disable these spyware to make the gaming experience more enjoyable.</p></htmltext>
<tokenext>Just the 3D acceleration is a little bit iffy.But otherwise , one can debug VAC or Warden in a sandbox and find a way to disable these spyware to make the gaming experience more enjoyable .</tokentext>
<sentencetext>Just the 3D acceleration is a little bit iffy.But otherwise, one can debug VAC or Warden in a sandbox and find a way to disable these spyware to make the gaming experience more enjoyable.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674636</id>
	<title>Offtopic Parent</title>
	<author>Anonymous</author>
	<datestamp>1262771040000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>.. bloat.</p><p>Just look at how slow IE8 is to use.</p></div><p>What does this offtopic post have to do with sandboxing?</p></div>
	</htmltext>
<tokenext>.. bloat.Just look at how slow IE8 is to use.What does this offtopic post have to do with sandboxing ?</tokentext>
<sentencetext>.. bloat.Just look at how slow IE8 is to use.What does this offtopic post have to do with sandboxing?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674534</id>
	<title>tubg1r:l</title>
	<author>Anonymous</author>
	<datestamp>1262770560000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><A HREF="http://goat.cx/" title="goat.cx" rel="nofollow">revel in oUr gay</a> [goat.cx]</htmltext>
<tokenext>revel in oUr gay [ goat.cx ]</tokentext>
<sentencetext>revel in oUr gay [goat.cx]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675080</id>
	<title>Office 2010</title>
	<author>PCM2</author>
	<datestamp>1262773320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Microsoft might be doing more than you think. TFA brings up Protected Mode Internet Explorer, but Microsoft is incorporating <a href="http://www.infoworld.com/d/developer-world/five-security-lessons-learned-office-2010-729" title="infoworld.com">sandboxing-type ideas</a> [infoworld.com] into Office 2010, too. For example, before it opens files, Word 2010 will validate them against known-good and known-bad schema. The idea is to detect potentially risky files/actions and run them with reduced privilege. So if a given file was created using an old version of Word that includes implicit vulnerabilities, for example, Word 2010 will open it in read-only mode with macros disabled, while giving the user a button to activate the disabled features (with an "it's your funeral" warning message).</p><p>This is not exactly "sandboxing," but it serves the same purpose: It helps to keep bad things from happening accidentally or out of user ignorance. In the past, if a user tried to open a file with dangerous macros, the app might throw up a warning message: "OMG if I open this file all hell will break loose!" But the user <i>really wants</i> to see what's in that file, so he just clicks "OK," and the damage is done. With Office 2010, there are more situations where a file will open with a slightly degraded user experience (no macros, etc), which lets users do 90 percent of what they want to do -- read the text, or copy and paste it into a new file -- without putting them at risk.</p></htmltext>
<tokenext>Microsoft might be doing more than you think .
TFA brings up Protected Mode Internet Explorer , but Microsoft is incorporating sandboxing-type ideas [ infoworld.com ] into Office 2010 , too .
For example , before it opens files , Word 2010 will validate them against known-good and known-bad schema .
The idea is to detect potentially risky files/actions and run them with reduced privilege .
So if a given file was created using an old version of Word that includes implicit vulnerabilities , for example , Word 2010 will open it in read-only mode with macros disabled , while giving the user a button to activate the disabled features ( with an " it 's your funeral " warning message ) .This is not exactly " sandboxing , " but it serves the same purpose : It helps to keep bad things from happening accidentally or out of user ignorance .
In the past , if a user tried to open a file with dangerous macros , the app might throw up a warning message : " OMG if I open this file all hell will break loose !
" But the user really wants to see what 's in that file , so he just clicks " OK , " and the damage is done .
With Office 2010 , there are more situations where a file will open with a slightly degraded user experience ( no macros , etc ) , which lets users do 90 percent of what they want to do -- read the text , or copy and paste it into a new file -- without putting them at risk .</tokentext>
<sentencetext>Microsoft might be doing more than you think.
TFA brings up Protected Mode Internet Explorer, but Microsoft is incorporating sandboxing-type ideas [infoworld.com] into Office 2010, too.
For example, before it opens files, Word 2010 will validate them against known-good and known-bad schema.
The idea is to detect potentially risky files/actions and run them with reduced privilege.
So if a given file was created using an old version of Word that includes implicit vulnerabilities, for example, Word 2010 will open it in read-only mode with macros disabled, while giving the user a button to activate the disabled features (with an "it's your funeral" warning message).This is not exactly "sandboxing," but it serves the same purpose: It helps to keep bad things from happening accidentally or out of user ignorance.
In the past, if a user tried to open a file with dangerous macros, the app might throw up a warning message: "OMG if I open this file all hell will break loose!
" But the user really wants to see what's in that file, so he just clicks "OK," and the damage is done.
With Office 2010, there are more situations where a file will open with a slightly degraded user experience (no macros, etc), which lets users do 90 percent of what they want to do -- read the text, or copy and paste it into a new file -- without putting them at risk.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678376</id>
	<title>Re:And the year of..</title>
	<author>LordLimecat</author>
	<datestamp>1262793300000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Chrome uses a sandbox model, and it seems to do OK.  Programs running in <a href="http://www.sandboxie.com/" title="sandboxie.com">Sandboxie</a> [sandboxie.com] seem to run pretty quick too.  Is it possible not all sandbox apps are created equal?<br> <br>
I'll also note that IE8 has more security than IE7, and yet curiously runs much faster than its predecessor.  Seems like security vs speed is a false dichotomy.</htmltext>
<tokenext>Chrome uses a sandbox model , and it seems to do OK. Programs running in Sandboxie [ sandboxie.com ] seem to run pretty quick too .
Is it possible not all sandbox apps are created equal ?
I 'll also note that IE8 has more security than IE7 , and yet curiously runs much faster than its predecessor .
Seems like security vs speed is a false dichotomy .</tokentext>
<sentencetext>Chrome uses a sandbox model, and it seems to do OK.  Programs running in Sandboxie [sandboxie.com] seem to run pretty quick too.
Is it possible not all sandbox apps are created equal?
I'll also note that IE8 has more security than IE7, and yet curiously runs much faster than its predecessor.
Seems like security vs speed is a false dichotomy.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30681184</id>
	<title>Easy to do in Linux</title>
	<author>Random Walk</author>
	<datestamp>1262872200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I have a separate sandbox user for each application that accesses the net (mail, browser,<nobr> <wbr></nobr>...). Each of these sandbox users is in its own group, and thus has access only to their own files and world readable (and eventually writeable, like<nobr> <wbr></nobr>/tmp) locations. Applications get started from my "real" account with sudo. I wonder why distros don't support that out of the box at least for the browser, because it would be fairly trivial to set up as part of a "create new user" script.</htmltext>
<tokenext>I have a separate sandbox user for each application that accesses the net ( mail , browser , ... ) .
Each of these sandbox users is in its own group , and thus has access only to their own files and world readable ( and eventually writeable , like /tmp ) locations .
Applications get started from my " real " account with sudo .
I wonder why distros do n't support that out of the box at least for the browser , because it would be fairly trivial to set up as part of a " create new user " script .</tokentext>
<sentencetext>I have a separate sandbox user for each application that accesses the net (mail, browser, ...).
Each of these sandbox users is in its own group, and thus has access only to their own files and world readable (and eventually writeable, like /tmp) locations.
Applications get started from my "real" account with sudo.
I wonder why distros don't support that out of the box at least for the browser, because it would be fairly trivial to set up as part of a "create new user" script.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30686052</id>
	<title>Re:Instead of validating inputs</title>
	<author>Anonymous</author>
	<datestamp>1262894760000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>Cool, instead of screwing up the simple task of validating inputs, we'll simply screw up the complicated task of sandboxing.</p></div><p>Do both. And try not to screw them up.</p><p>I know you were being sarcastic. I'm not.</p></div>
	</htmltext>
<tokenext>Cool , instead of screwing up the simple task of validating inputs , we 'll simply screw up the complicated task of sandboxing.Do both .
And try not to screw them up.I know you were being sarcastic .
I 'm not .</tokentext>
<sentencetext>Cool, instead of screwing up the simple task of validating inputs, we'll simply screw up the complicated task of sandboxing.Do both.
And try not to screw them up.I know you were being sarcastic.
I'm not.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675314</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678880</id>
	<title>Why is there no Sandbox.com</title>
	<author>CrazyJim1</author>
	<datestamp>1262797440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Here is how it'd work:<br>
Download and run applications on someone else's computer via one of those nifty remote desktops.<br>
If it has a virus, you don't download and run it on your own computer.</htmltext>
<tokenext>Here is how it 'd work : Download and run applications on someone else 's computer via one of those nifty remote desktops .
If it has a virus , you do n't download and run it on your own computer .</tokentext>
<sentencetext>Here is how it'd work:
Download and run applications on someone else's computer via one of those nifty remote desktops.
If it has a virus, you don't download and run it on your own computer.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675950</id>
	<title>Re:And the year of..</title>
	<author>alexhs</author>
	<datestamp>1262777040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And mostly useless bloat at that.</p><p>It's only adding one added layer to the dancing bunnies problem.</p><p>Virtualization is detectable. Your dancing bunnies malware will complain that it needs better access to the computer in order to run.</p><p>You only need memory protection, and an OS with some access control mechanisms.</p><p>If the application can't run in those constraints:</p><ul><li>Educated users will know that something is going wrong;</li><li>Uneducated users will escalate privileges one by one until the computer is pwned.</li></ul><p>Now what I think would be a secure system on paper :<br>Only signed apps run on native hardware, everything else in one big sandbox (resetted each time, have fun reinstalling unsigned apps every day).</p><p>Practically, bugs can allow code injection in signed code, and the signing authority can miss malware, but this at least solves the dancing bunnies problem, because it's the hardware/OS vendor which will refuse you to run the application.</p><p>Well, unless if there was a way to work around the signing check. We could call that "jailbreaking" the computer. But that's unthinkable, isn't it ?</p></htmltext>
<tokenext>And mostly useless bloat at that.It 's only adding one added layer to the dancing bunnies problem.Virtualization is detectable .
Your dancing bunnies malware will complain that it needs better access to the computer in order to run.You only need memory protection , and an OS with some access control mechanisms.If the application ca n't run in those constraints : Educated users will know that something is going wrong ; Uneducated users will escalate privileges one by one until the computer is pwned.Now what I think would be a secure system on paper : Only signed apps run on native hardware , everything else in one big sandbox ( resetted each time , have fun reinstalling unsigned apps every day ) .Practically , bugs can allow code injection in signed code , and the signing authority can miss malware , but this at least solves the dancing bunnies problem , because it 's the hardware/OS vendor which will refuse you to run the application.Well , unless if there was a way to work around the signing check .
We could call that " jailbreaking " the computer .
But that 's unthinkable , is n't it ?</tokentext>
<sentencetext>And mostly useless bloat at that.It's only adding one added layer to the dancing bunnies problem.Virtualization is detectable.
Your dancing bunnies malware will complain that it needs better access to the computer in order to run.You only need memory protection, and an OS with some access control mechanisms.If the application can't run in those constraints:Educated users will know that something is going wrong;Uneducated users will escalate privileges one by one until the computer is pwned.Now what I think would be a secure system on paper :Only signed apps run on native hardware, everything else in one big sandbox (resetted each time, have fun reinstalling unsigned apps every day).Practically, bugs can allow code injection in signed code, and the signing authority can miss malware, but this at least solves the dancing bunnies problem, because it's the hardware/OS vendor which will refuse you to run the application.Well, unless if there was a way to work around the signing check.
We could call that "jailbreaking" the computer.
But that's unthinkable, isn't it ?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674840</id>
	<title>Sorry. The WWW is now a huge API</title>
	<author>Colin Smith</author>
	<datestamp>1262772360000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>Web servers don't serve html documents any more, they serve remote procedure calls from javascript front ends.<br>
&nbsp;</p></htmltext>
<tokenext>Web servers do n't serve html documents any more , they serve remote procedure calls from javascript front ends .
 </tokentext>
<sentencetext>Web servers don't serve html documents any more, they serve remote procedure calls from javascript front ends.
 </sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674504</id>
	<title>Cannon Fodder for your VM</title>
	<author>Anonymous</author>
	<datestamp>1262770380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Fire up your VM-based Windows XP machine and head to http://www.offensivecomputing.net/</p><p>Their site contains tons of live malware. I believe it requires free subscription, however.</p></htmltext>
<tokenext>Fire up your VM-based Windows XP machine and head to http : //www.offensivecomputing.net/Their site contains tons of live malware .
I believe it requires free subscription , however .</tokentext>
<sentencetext>Fire up your VM-based Windows XP machine and head to http://www.offensivecomputing.net/Their site contains tons of live malware.
I believe it requires free subscription, however.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679296</id>
	<title>Re:How about reducing the surface area?</title>
	<author>tepples</author>
	<datestamp>1262802120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>They can be made so that only way to access file system is by File Dialog (see Java Web Start / JNLP).</p></div><p>But then the mechanism for providing a rich file chooser dialog, including a pane for previewing the selected file before opening, must be carefully designed so that the mechanism itself doesn't expose any holes.</p></div>
	</htmltext>
<tokenext>They can be made so that only way to access file system is by File Dialog ( see Java Web Start / JNLP ) .But then the mechanism for providing a rich file chooser dialog , including a pane for previewing the selected file before opening , must be carefully designed so that the mechanism itself does n't expose any holes .</tokentext>
<sentencetext>They can be made so that only way to access file system is by File Dialog (see Java Web Start / JNLP).But then the mechanism for providing a rich file chooser dialog, including a pane for previewing the selected file before opening, must be carefully designed so that the mechanism itself doesn't expose any holes.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678202</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674458</id>
	<title>Wow....  Welcome to Java applets, 1995...</title>
	<author>Anonymous</author>
	<datestamp>1262770200000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Sandboxes are a tried and true idea, they work well.  It's about time</p></htmltext>
<tokenext>Sandboxes are a tried and true idea , they work well .
It 's about time</tokentext>
<sentencetext>Sandboxes are a tried and true idea, they work well.
It's about time</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675712</id>
	<title>Re:Already here. It's on my family PC..</title>
	<author>Anonymous</author>
	<datestamp>1262776020000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Also, Sandboxie has another interesting use-case that isn't really mentioned.</p><p>Sandboxie is GREAT for making pretty much any application portable.<br>How annoying is it when programs need to be reinstalled because you reinstalled the OS and it no longer has any registry items?<br>Well, no longer, install inside sandbox, backup before reinstalling, copy sandbox back over, bham.<br>Of course, applications that depend on USER keys won't work.  Only solution there is to write a script to replace the key IDs with the current users ID.</p><p>I might write in to the developer to see if he could possibly add a tool in to do this automatically.</p></htmltext>
<tokenext>Also , Sandboxie has another interesting use-case that is n't really mentioned.Sandboxie is GREAT for making pretty much any application portable.How annoying is it when programs need to be reinstalled because you reinstalled the OS and it no longer has any registry items ? Well , no longer , install inside sandbox , backup before reinstalling , copy sandbox back over , bham.Of course , applications that depend on USER keys wo n't work .
Only solution there is to write a script to replace the key IDs with the current users ID.I might write in to the developer to see if he could possibly add a tool in to do this automatically .</tokentext>
<sentencetext>Also, Sandboxie has another interesting use-case that isn't really mentioned.Sandboxie is GREAT for making pretty much any application portable.How annoying is it when programs need to be reinstalled because you reinstalled the OS and it no longer has any registry items?Well, no longer, install inside sandbox, backup before reinstalling, copy sandbox back over, bham.Of course, applications that depend on USER keys won't work.
Only solution there is to write a script to replace the key IDs with the current users ID.I might write in to the developer to see if he could possibly add a tool in to do this automatically.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675548</id>
	<title>Yeah right.</title>
	<author>Anonymous</author>
	<datestamp>1262775360000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>&gt; 2010 will be the year that software vendors get religion about sandboxing...</p><p>A prerequisite is that software vendors will get religion about <em>security</em>.   Haha.</p></htmltext>
<tokenext>&gt; 2010 will be the year that software vendors get religion about sandboxing...A prerequisite is that software vendors will get religion about security .
Haha .</tokentext>
<sentencetext>&gt; 2010 will be the year that software vendors get religion about sandboxing...A prerequisite is that software vendors will get religion about security.
Haha.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30689668</id>
	<title>Wrong</title>
	<author>CAIMLAS</author>
	<datestamp>1262871840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>2010 will not be the year of sandboxing applications. Give that another couple years, I think. System specifications are nowhere near high enough yet to make that a non-tedious infringement upon performance: consumers likely won't stand for it, and they're difficult features to implement (well) anyway. Poorly implemented sandboxing - which could arguably be considered 'infrastructural' to an application - isn't the kind of poorly implemented feature to walk forward with. Poorly implemented features at the infrastructure level = Windows engineering. Please, no.</p><p>What I think 2010 will give us: a speedy departure from the Desktop, for both home and business users. The only people still using them predominantly in a couple years will be the geeks, and the setbacks.</p><p>To move away from something, there's got to be something to move to... and with that, we've got a whole mess of inexpensive laptops and netbooks, and cellular phones/smartphones.</p><p>Most people have very simple Internet "needs". Facebook, email, youtube... that's the Internet to them. Even crappy smartphones (Blackberry, LG) can do that pretty well (albeit somewhat slowly). In the next year we're going to see a slew of smartphones coming out with fast, capable processors, more advanced frontend software, and some pretty impressive specifications.</p><p>So my prediction is: 2010 will be the year of smartphone malware and/or use.</p><p>I don't think we'll be to the "my cell phone is also my desktop computer" for another couple years, but if someone releases a smartphone with DisplayPort or similar technology, well... could be.</p></htmltext>
<tokenext>2010 will not be the year of sandboxing applications .
Give that another couple years , I think .
System specifications are nowhere near high enough yet to make that a non-tedious infringement upon performance : consumers likely wo n't stand for it , and they 're difficult features to implement ( well ) anyway .
Poorly implemented sandboxing - which could arguably be considered 'infrastructural ' to an application - is n't the kind of poorly implemented feature to walk forward with .
Poorly implemented features at the infrastructure level = Windows engineering .
Please , no.What I think 2010 will give us : a speedy departure from the Desktop , for both home and business users .
The only people still using them predominantly in a couple years will be the geeks , and the setbacks.To move away from something , there 's got to be something to move to... and with that , we 've got a whole mess of inexpensive laptops and netbooks , and cellular phones/smartphones.Most people have very simple Internet " needs " .
Facebook , email , youtube... that 's the Internet to them .
Even crappy smartphones ( Blackberry , LG ) can do that pretty well ( albeit somewhat slowly ) .
In the next year we 're going to see a slew of smartphones coming out with fast , capable processors , more advanced frontend software , and some pretty impressive specifications.So my prediction is : 2010 will be the year of smartphone malware and/or use.I do n't think we 'll be to the " my cell phone is also my desktop computer " for another couple years , but if someone releases a smartphone with DisplayPort or similar technology , well... could be .</tokentext>
<sentencetext>2010 will not be the year of sandboxing applications.
Give that another couple years, I think.
System specifications are nowhere near high enough yet to make that a non-tedious infringement upon performance: consumers likely won't stand for it, and they're difficult features to implement (well) anyway.
Poorly implemented sandboxing - which could arguably be considered 'infrastructural' to an application - isn't the kind of poorly implemented feature to walk forward with.
Poorly implemented features at the infrastructure level = Windows engineering.
Please, no.What I think 2010 will give us: a speedy departure from the Desktop, for both home and business users.
The only people still using them predominantly in a couple years will be the geeks, and the setbacks.To move away from something, there's got to be something to move to... and with that, we've got a whole mess of inexpensive laptops and netbooks, and cellular phones/smartphones.Most people have very simple Internet "needs".
Facebook, email, youtube... that's the Internet to them.
Even crappy smartphones (Blackberry, LG) can do that pretty well (albeit somewhat slowly).
In the next year we're going to see a slew of smartphones coming out with fast, capable processors, more advanced frontend software, and some pretty impressive specifications.So my prediction is: 2010 will be the year of smartphone malware and/or use.I don't think we'll be to the "my cell phone is also my desktop computer" for another couple years, but if someone releases a smartphone with DisplayPort or similar technology, well... could be.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679282
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_41</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675310
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30681814
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674840
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30680060
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674936
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675444
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679096
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675154
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675040
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674746
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679480
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674936
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675324
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678376
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677874
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675510
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674988
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676292
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674820
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676766
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_42</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679542
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675126
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674636
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675002
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676862
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674452
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678112
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674594
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_43</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674924
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674662
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675528
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674820
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675080
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676814
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674936
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675712
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678436
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674458
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675394
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30686052
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675314
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676932
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674452
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30716020
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675930
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674458
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678996
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674656
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677972
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675510
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674988
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679296
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676648
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675950
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674666
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674758
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676448
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675544
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678176
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675314
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_06_2012204_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674506
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675644
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675604
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675666
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679282
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677972
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30681814
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678202
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679296
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674394
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675394
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674636
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675950
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676648
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678376
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674506
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674516
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675224
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674662
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674924
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674594
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678112
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674988
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675510
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677874
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30677030
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674458
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675930
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678436
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675314
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678176
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30686052
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674480
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674666
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675444
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675040
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675712
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676766
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674758
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676448
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675024
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675154
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679096
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674956
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674452
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676932
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676862
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675092
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674820
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675528
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676292
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674432
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674936
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676384
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30680060
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30676814
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679480
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675080
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_06_2012204.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674554
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674746
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675544
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30678996
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675310
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675324
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675126
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674656
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30675002
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30716020
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30674840
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_06_2012204.30679542
</commentlist>
</conversation>
