Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Article: Why you can't dump Java (even though you want to)
49 views
Skip to first unread message
Gene Wirchenko
May 8, 2012, 11:51:55 AM5/8/12
to
This was in the morning's trade articles:
www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld
Comments?
Sincerely,
Gene Wirchenko
www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld
Comments?
Sincerely,
Gene Wirchenko
Arved Sandstrom
May 8, 2012, 4:14:26 PM5/8/12
to
article. As he pointed out, popular software always gets exploited. Part
of it is due to defects in the software, so in Java in this case, but a
major part of it for a programming language and platform (JVM) is how
people code in it. How many Java programmers have genuinely absorbed the
lessons in "Secure Coding Guidelines for the Java Programming Language",
or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
percent? No way is it any higher than that.
The main problem is the human being, whether coder or user.
AHS
--
Never interrupt your enemy when he is making a mistake.
--Napoleon
Nasser M. Abbasi
May 8, 2012, 4:36:01 PM5/8/12
to
On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
> The main problem is the human being, whether coder or user.
>
> AHS
There are now Trojans and viruses that attack the PC
>
> The main problem is the human being, whether coder or user.
>
> AHS
using JavaScript.
One can't really shut down JavaScript in the browser like they can
with the Java plugin to prevent applets from running.
I think the whole internet is doomed. no where to run and hide
any more.
--Nasser
markspace
May 8, 2012, 4:51:53 PM5/8/12
to
On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
>>
>> The main problem is the human being, whether coder or user.
>>
>> AHS
>
> There are now Trojans and viruses that attack the PC
> using JavaScript.
>
> One can't really shut down JavaScript in the browser like they can
> with the Java plugin to prevent applets from running.
Yes you can. I run Firefox with NoScript, an add-on that blocks
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
>>
>> The main problem is the human being, whether coder or user.
>>
>> AHS
>
> There are now Trojans and viruses that attack the PC
> using JavaScript.
>
> One can't really shut down JavaScript in the browser like they can
> with the Java plugin to prevent applets from running.
JavaScript. Most sites work OK without JavaScript. If I really need
to, NoScript makes it easy for me to temporarily enable a single website.
In some cases, the problem is the platform. I.e., JavaScript, or
ActiveX. But there's work-arounds too.
markspace
May 8, 2012, 4:59:01 PM5/8/12
to
On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>
>> The main problem is the human being, whether coder or user.
>>
>>
>> The main problem is the human being, whether coder or user.
>>
> I think the whole internet is doomed. no where to run and hide
> any more.
Arved wins this argument. From the article:
> any more.
"Sure, I could opt not to use those Java-enabled services or install
Java and uninstall when I'm finished. But the core problem isn't
necessarily Java's exploitability; nearly all software is exploitable.
It's *unpatched* Java. Few successful Java-related attacks are related
to zero-day exploits. Almost all are related to Java security bugs that
have been patched for months (or longer)."
Again I use FireFox. After a recent upgrade of FF, it disabled the Java
plugin (a recent one, version 6 update 22 or so) calling it insecure.
OK whatever, so I downloaded a new one. It bugged me at the time but
now I see why: FF was forcing me to upgraded to a later patch. This
I'm removes known vulnerabilities.
It takes effort to stay on top of these things but it can be done. Now,
who's at fault for the Mac Java exploit? Oracle? Or Apple for
allowing users to run old, insecure versions of Java?
Nasser M. Abbasi
May 8, 2012, 5:01:07 PM5/8/12
to
easy. Tools->Options->Content->uncheck Javascript.
The point is, browsing the internet is almost useless when
JavaScript is off. How will you browse Yahoo, Google, etc..
with no JavaScript? Many things do not work any more. Some do yes,
but many things needs JavaScript to work.
It feels like driving a car with no wheels attached to it. Not
a fun thing to do.
--Nasser
markspace
May 8, 2012, 5:15:15 PM5/8/12
to
On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:
> The point is, browsing the internet is almost useless when
> JavaScript is off.
Read what I wrote again. "NoScript makes it easy to temporarily enable
> The point is, browsing the internet is almost useless when
> JavaScript is off.
JavaScript for a single website."
Emphasis on the "makes it easy" and the "single website."
Using that feature allows me to browse safely, while still retaining the
option to quickly turn JS back on if I need it for a given website.
Nasser M. Abbasi
May 8, 2012, 5:41:31 PM5/8/12
to
On 5/8/2012 4:15 PM, markspace wrote:
> On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:
>
>> The point is, browsing the internet is almost useless when
>> JavaScript is off.
>
>
> Read what I wrote again. "NoScript makes it easy to temporarily enable
> JavaScript for a single website."
>
And you read what I wrote again. I said it is very easy for
> On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:
>
>> The point is, browsing the internet is almost useless when
>> JavaScript is off.
>
>
> Read what I wrote again. "NoScript makes it easy to temporarily enable
> JavaScript for a single website."
>
me to turn off Javascript and turn it on.
But for me, this is no way to browse the internet.
When I click on something and it does not work, then I
have to turn on javascript. Then remember to turn it off
again, then on again, then off again. I'll be spending
my day turning off and on Javascript.
If this works for you, fine. Not for me.
--Nasser
Gene Wirchenko
May 8, 2012, 6:05:51 PM5/8/12
to
On Tue, 08 May 2012 16:01:07 -0500, "Nasser M. Abbasi" <n...@12000.org>
wrote:
>On 5/8/2012 3:51 PM, markspace wrote:
>> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>>> The main problem is the human being, whether coder or user.
few sites that I frequent that need JavaScript.
>with no JavaScript? Many things do not work any more. Some do yes,
You need better examples. Both Yahoo! and Google work without
JavaScript (at least, the basic search function).
>but many things needs JavaScript to work.
>
>It feels like driving a car with no wheels attached to it. Not
>a fun thing to do.
No, it is like driving a car with no chrome on it. One might
miss it a bit, but it is not necessary in order to drive.
Some sites do make it very difficult. On some sites, clicking on
a link requires JavaScript to be executed. The <a> tag works fine
without JavaScript so this is bogosity. I tend to very quickly leave
such sites and not go back.
I have wondered why no one has come up with a limited JavaScript
that does not allow such attacks.
Sincerely,
Gene Wirchenko
wrote:
>On 5/8/2012 3:51 PM, markspace wrote:
>> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>>> The main problem is the human being, whether coder or user.
>>> There are now Trojans and viruses that attack the PC
>>> using JavaScript.
>>>
>>> One can't really shut down JavaScript in the browser like they can
>>> with the Java plugin to prevent applets from running.
>> Yes you can. I run Firefox with NoScript, an add-on that blocks
>> JavaScript. Most sites work OK without JavaScript. If I really need
>> to, NoScript makes it easy for me to temporarily enable a single website.
>>
>> In some cases, the problem is the platform. I.e., JavaScript, or
>> ActiveX. But there's work-arounds too.
>Well, I know I can turn off Javascript from firefox, it is
>easy. Tools->Options->Content->uncheck Javascript.
>
>The point is, browsing the internet is almost useless when
>JavaScript is off. How will you browse Yahoo, Google, etc..
Not even close. I use Firefox and NoScript as well. There are
>>> using JavaScript.
>>>
>>> One can't really shut down JavaScript in the browser like they can
>>> with the Java plugin to prevent applets from running.
>> Yes you can. I run Firefox with NoScript, an add-on that blocks
>> JavaScript. Most sites work OK without JavaScript. If I really need
>> to, NoScript makes it easy for me to temporarily enable a single website.
>>
>> In some cases, the problem is the platform. I.e., JavaScript, or
>> ActiveX. But there's work-arounds too.
>Well, I know I can turn off Javascript from firefox, it is
>easy. Tools->Options->Content->uncheck Javascript.
>
>The point is, browsing the internet is almost useless when
>JavaScript is off. How will you browse Yahoo, Google, etc..
few sites that I frequent that need JavaScript.
>with no JavaScript? Many things do not work any more. Some do yes,
JavaScript (at least, the basic search function).
>but many things needs JavaScript to work.
>
>It feels like driving a car with no wheels attached to it. Not
>a fun thing to do.
miss it a bit, but it is not necessary in order to drive.
Some sites do make it very difficult. On some sites, clicking on
a link requires JavaScript to be executed. The <a> tag works fine
without JavaScript so this is bogosity. I tend to very quickly leave
such sites and not go back.
I have wondered why no one has come up with a limited JavaScript
that does not allow such attacks.
Sincerely,
Gene Wirchenko
Arved Sandstrom
May 8, 2012, 6:12:01 PM5/8/12
to
Plus/Opera Adblock, Do Not Track Plus, Ghostery, Priv3, NotScripts etc
in all of my browsers on all OS's. Not to mention cranking up the
browsers' own mechanisms as much as possible. I also find that most
sites work when imposed with severe restrictions - the ones that don't I
just dismiss, unless they are among a handful that I need and I
temporarily enable the minimum just like you.
Gene Wirchenko
May 8, 2012, 6:19:17 PM5/8/12
to
On Tue, 08 May 2012 16:41:31 -0500, "Nasser M. Abbasi" <n...@12000.org>
wrote:
When I try opening a door and it is locked, then I have get out
my keys and unlock the door. Then I have to remember to lock the door
again. Unlock and lock. I will be spending my day unlocking and
locking doors.
>If this works for you, fine. Not for me.
Leaving the barn door open has advantages but also significant
downside.
Sincerely,
Gene Wirchenko
wrote:
my keys and unlock the door. Then I have to remember to lock the door
again. Unlock and lock. I will be spending my day unlocking and
locking doors.
>If this works for you, fine. Not for me.
downside.
Sincerely,
Gene Wirchenko
markspace
May 8, 2012, 6:21:40 PM5/8/12
to
On 5/8/2012 2:41 PM, Nasser M. Abbasi wrote:
> And you read what I wrote again. I said it is very easy for
> me to turn off Javascript and turn it on.
What you said was:
> And you read what I wrote again. I said it is very easy for
> me to turn off Javascript and turn it on.
"> The point is, browsing the internet is almost useless when
> JavaScript is off."
> When I click on something and it does not work, then I
> have to turn on javascript. Then remember to turn it off
> again, then on again, then off again. I'll be spending
> my day turning off and on Javascript.
DOES NOT WORK LIKE THIS.
I enable JavaScript for ONE SITE. No other sites. I don't have to turn
JavaScript back off because it's still off for all other sites. Usually
I just use the "temporary" option so JS is enabled for one session.
When I quit, JS is back off again for all my temporary sites.
Sometimes I visit a site often enough that I enable it permanently, but
I have relatively few of those.
GET NOSCRIPT ALREADY and stop complaining that "it doesn't work" because
you have no idea what you are talking about.
Joshua Maurice
May 8, 2012, 6:32:08 PM5/8/12
to
and yes there's some websites that require javascript to work, but
it's better than nothing for a little amount of hassle.
Arne Vajhøj
May 8, 2012, 9:03:45 PM5/8/12
to
On 5/8/2012 4:51 PM, markspace wrote:
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>> The main problem is the human being, whether coder or user.
>>
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>> The main problem is the human being, whether coder or user.
>>
>> There are now Trojans and viruses that attack the PC
>> using JavaScript.
>>
>> One can't really shut down JavaScript in the browser like they can
>> with the Java plugin to prevent applets from running.
>
>
> Yes you can. I run Firefox with NoScript, an add-on that blocks
> JavaScript. Most sites work OK without JavaScript. If I really need to,
> NoScript makes it easy for me to temporarily enable a single website.
That worked fine 10 years ago.
>> using JavaScript.
>>
>> One can't really shut down JavaScript in the browser like they can
>> with the Java plugin to prevent applets from running.
>
>
> Yes you can. I run Firefox with NoScript, an add-on that blocks
> JavaScript. Most sites work OK without JavaScript. If I really need to,
> NoScript makes it easy for me to temporarily enable a single website.
In these AJAX times the number of sites working without
JavaScript must be dropping pretty steep.
Arne
Arne Vajhøj
May 8, 2012, 9:04:31 PM5/8/12
to
On 5/8/2012 4:59 PM, markspace wrote:
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>> The main problem is the human being, whether coder or user.
>
>> I think the whole internet is doomed. no where to run and hide
>> any more.
>
> Arved wins this argument. From the article:
>
> "Sure, I could opt not to use those Java-enabled services or install
> Java and uninstall when I'm finished. But the core problem isn't
> necessarily Java's exploitability; nearly all software is exploitable.
> It's *unpatched* Java. Few successful Java-related attacks are related
> to zero-day exploits. Almost all are related to Java security bugs that
> have been patched for months (or longer)."
????
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>> The main problem is the human being, whether coder or user.
>
>> I think the whole internet is doomed. no where to run and hide
>> any more.
>
> Arved wins this argument. From the article:
>
> "Sure, I could opt not to use those Java-enabled services or install
> Java and uninstall when I'm finished. But the core problem isn't
> necessarily Java's exploitability; nearly all software is exploitable.
> It's *unpatched* Java. Few successful Java-related attacks are related
> to zero-day exploits. Almost all are related to Java security bugs that
> have been patched for months (or longer)."
Java should automatically update these days.
Arne
Arne Vajhøj
May 8, 2012, 9:13:07 PM5/8/12
to
On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>> This was in the morning's trade articles:
>>
>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>> InfoWorld Home / Security / Security Adviser
>> May 08, 2012
>> Why you can't dump Java (even though you want to)
>> So many recent exploits have used Java as their attack vector, you
>> might conclude Java should be shown the exit
>> By Roger A. Grimes | InfoWorld
>>
> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>> This was in the morning's trade articles:
>>
>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>> InfoWorld Home / Security / Security Adviser
>> May 08, 2012
>> Why you can't dump Java (even though you want to)
>> So many recent exploits have used Java as their attack vector, you
>> might conclude Java should be shown the exit
>> By Roger A. Grimes | InfoWorld
>>
> I tend to agree with what Grimes wrote on the second page of his
> article. As he pointed out, popular software always gets exploited. Part
> of it is due to defects in the software, so in Java in this case, but a
> major part of it for a programming language and platform (JVM) is how
> people code in it. How many Java programmers have genuinely absorbed the
> lessons in "Secure Coding Guidelines for the Java Programming Language",
> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
> percent? No way is it any higher than that.
I think we need to distinguish between:
> article. As he pointed out, popular software always gets exploited. Part
> of it is due to defects in the software, so in Java in this case, but a
> major part of it for a programming language and platform (JVM) is how
> people code in it. How many Java programmers have genuinely absorbed the
> lessons in "Secure Coding Guidelines for the Java Programming Language",
> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
> percent? No way is it any higher than that.
A) malicious applet code that gets unauthorized access to desktop
PC's when their users just browse the internet
B) hackers that break into a Java web app using various
security holes
A is what I assume the article is about. And the security
problems is caused by bugs in JVM and Java runtime.
B is caused by bugs introduced by the Java web app
developers. And this seems to be what that coding
standard try to address.
Arne
Arne Vajhøj
May 8, 2012, 9:19:21 PM5/8/12
to
There is a need for code running client side in web
solutions.
That code runs sandboxed and in theory does not have access
to anything on the client PC.
In practice there are some security bugs in the sandbox that
allows malicious code to gain access that it was not supposed
to have.
Same story whether it is Java applet, Flash, Silverlight,
JavaScript/HTML5 or even to some extent JavaScript/oldHTML.
As long as there is a need for code running client side
then the problem will exist.
Whether it is Java or something else does not matter.
So suggesting disabling Java in the browser is BS.
On can suggest disabling Java, Flash, JavaScript etc.
and see if one can live with the 1996 feeling.
Arne
markspace
May 8, 2012, 11:52:39 PM5/8/12
to
On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
> That worked fine 10 years ago.
>
> In these AJAX times the number of sites working without
> JavaScript must be dropping pretty steep.
A lot of sites don't work without JavaScript enabled. But many work
> That worked fine 10 years ago.
>
> In these AJAX times the number of sites working without
> JavaScript must be dropping pretty steep.
well enough. It's a matter of playing the odds. The more sites you go
to with JavaScript disabled by default, the less likely it is that
you'll get some sort of malware from them.
Sure I often have to enable JS, but only after I've seen the site first.
If it looks dodgy, I just leave. And often I can still click on a few
links or read an article without JS. It's rare I'll enable JS if I just
need one thing from a site.
markspace
May 8, 2012, 11:54:26 PM5/8/12
to
On 5/8/2012 6:04 PM, Arne Vajhøj wrote:
>
> Java should automatically update these days.
The article specifically mentions Apple, who didn't patch their own
>
> Java should automatically update these days.
special version of Java for several months, until they got bit hard by a
trojan or something.
Yes, Oracle's new version for the Mac does enable auto-updates. But
there's enough old Java out there that I guess many don't have it.
Eric Sosman
May 9, 2012, 6:58:52 AM5/9/12
to
On 5/8/2012 11:52 PM, markspace wrote:
> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>> That worked fine 10 years ago.
>>
>> In these AJAX times the number of sites working without
>> JavaScript must be dropping pretty steep.
>
>
> A lot of sites don't work without JavaScript enabled. But many work well
> enough. It's a matter of playing the odds. The more sites you go to with
> JavaScript disabled by default, the less likely it is that you'll get
> some sort of malware from them.
For even more security, disable HTML.
> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>> That worked fine 10 years ago.
>>
>> In these AJAX times the number of sites working without
>> JavaScript must be dropping pretty steep.
>
>
> A lot of sites don't work without JavaScript enabled. But many work well
> enough. It's a matter of playing the odds. The more sites you go to with
> JavaScript disabled by default, the less likely it is that you'll get
> some sort of malware from them.
--
Eric Sosman
eso...@ieee-dot-org.invalid
Gene Wirchenko
May 9, 2012, 1:06:45 PM5/9/12
to
really need the JavaScript.
Sincerely,
Gene Wirchenko
Lew
May 9, 2012, 3:04:40 PM5/9/12
to
Eric Sosman wrote:
--
Lew
> markspace wrote:
>> Arne Vajhøj wrote:
>>> That worked fine 10 years ago.
>>>
>>> In these AJAX times the number of sites working without
>>> JavaScript must be dropping pretty steep.
>>
>> A lot of sites don't work without JavaScript enabled. But many work well
>> enough. It's a matter of playing the odds. The more sites you go to with
>> JavaScript disabled by default, the less likely it is that you'll get
>> some sort of malware from them.
>
> For even more security, disable HTML.
For even more even more security, disable the Internet and don't use a computer.
>> Arne Vajhøj wrote:
>>> That worked fine 10 years ago.
>>>
>>> In these AJAX times the number of sites working without
>>> JavaScript must be dropping pretty steep.
>>
>> A lot of sites don't work without JavaScript enabled. But many work well
>> enough. It's a matter of playing the odds. The more sites you go to with
>> JavaScript disabled by default, the less likely it is that you'll get
>> some sort of malware from them.
>
> For even more security, disable HTML.
--
Lew
Arved Sandstrom
May 9, 2012, 3:50:19 PM5/9/12
to
insisting on using old Java versions because they believe their apps
need it [1], people not knowing what version they are running, unpatched
Java etc. Which is why I seized the opportunity to bitch about insecure
coding...which is ultimately the root of the problem anyway.
But you're right, it's mostly defects in Java runtimes that Grimes is
talking about.
One point about the secure coding guidelines - let's not characterize
that as "web app" coding. All those guidelines are about secure coding
for Java, period. If I were a Java EE web app developer I'd read the Sun
now Oracle secure coding guidelines for Java first, then something like
OWASP.
AHS
1. And we've had that conversation a number of times in various threads.
Roedy Green
May 9, 2012, 5:42:41 PM5/9/12
to
On Tue, 08 May 2012 08:51:55 -0700, Gene Wirchenko <ge...@ocis.net>
wrote, quoted or indirectly quoted someone who said :
>
>www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>InfoWorld Home / Security / Security Adviser
>May 08, 2012
>Why you can't dump Java (even though you want to)
>So many recent exploits have used Java as their attack vector, you
>might conclude Java should be shown the exit
>By Roger A. Grimes | InfoWorld
>
> Comments?
If dumped something on finding the first security hole Windows would
not have sold even one copy. JavaScript has no security at all. It
does not even try.
I have not personally ever found or been harmed by a hole in the
Applet sandbox or the run time or the Jet run time. I see comments
about obscure bugs getting fixed.
If a hole is causing trouble in the real world and the vendor does not
fix it, then you may have to look elsewhere. That does not describe
Java.
--
Roedy Green Canadian Mind Products
http://mindprod.com
Programmers love to create simplified replacements for HTML.
They forget that the simplest language is the one you
already know. They also forget that their simple little
markup language will bit by bit become even more convoluted
and complicated than HTML because of the unplanned way it grows.
.
wrote, quoted or indirectly quoted someone who said :
>
>www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>InfoWorld Home / Security / Security Adviser
>May 08, 2012
>Why you can't dump Java (even though you want to)
>So many recent exploits have used Java as their attack vector, you
>might conclude Java should be shown the exit
>By Roger A. Grimes | InfoWorld
>
> Comments?
not have sold even one copy. JavaScript has no security at all. It
does not even try.
I have not personally ever found or been harmed by a hole in the
Applet sandbox or the run time or the Jet run time. I see comments
about obscure bugs getting fixed.
If a hole is causing trouble in the real world and the vendor does not
fix it, then you may have to look elsewhere. That does not describe
Java.
--
Roedy Green Canadian Mind Products
http://mindprod.com
Programmers love to create simplified replacements for HTML.
They forget that the simplest language is the one you
already know. They also forget that their simple little
markup language will bit by bit become even more convoluted
and complicated than HTML because of the unplanned way it grows.
.
Joshua Cranmer
May 10, 2012, 6:07:17 PM5/10/12
to
cOn 5/9/2012 4:42 PM, Roedy Green wrote:
> If dumped something on finding the first security hole Windows would
> not have sold even one copy. JavaScript has no security at all. It
> does not even try.
The JavaScript language has no affordance for security by itself,
> If dumped something on finding the first security hole Windows would
> not have sold even one copy. JavaScript has no security at all. It
> does not even try.
exactly like Java. The implementations of JS (in particular, what would
amount to standard libraries for JS) as found on most web browsers pay
as much attention to security as Java's applet sandboxing model does.
This includes going to such outlandish extremes as giving you the wrong
data for the color of some text on your page in certain circumstances.
--
Beware of bugs in the above code; I have only proved it correct, not
tried it. -- Donald E. Knuth
BGB
May 10, 2012, 7:36:03 PM5/10/12
to
On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
data-files is a potential security risk.
is the code reading data from the socket sufficiently hardened?
how about the code parsing ones' document?
...
it isn't always an easy problem...
given programming languages can do a bit more, they present a much
bigger surface area to try to attack, making securing the language a
good deal harder.
but, with languages, it is a hard tradeoff between trying to give the
person using the language a lot of freedom while at the same time trying
to find ways to prevent the language from being used in unintended ways
by an attacker, which is also a bit of a problem.
Arne Vajhøj
May 10, 2012, 8:19:01 PM5/10/12
to
On 5/9/2012 5:42 PM, Roedy Green wrote:
> On Tue, 08 May 2012 08:51:55 -0700, Gene Wirchenko<ge...@ocis.net>
> wrote, quoted or indirectly quoted someone who said :
>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>> InfoWorld Home / Security / Security Adviser
>> May 08, 2012
>> Why you can't dump Java (even though you want to)
>> So many recent exploits have used Java as their attack vector, you
>> might conclude Java should be shown the exit
>> By Roger A. Grimes | InfoWorld
>>
>> Comments?
>
> If dumped something on finding the first security hole Windows would
> not have sold even one copy. JavaScript has no security at all. It
> does not even try.
Maybe you should learn a bit about JavaScript before writing about it.
> On Tue, 08 May 2012 08:51:55 -0700, Gene Wirchenko<ge...@ocis.net>
> wrote, quoted or indirectly quoted someone who said :
>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>> InfoWorld Home / Security / Security Adviser
>> May 08, 2012
>> Why you can't dump Java (even though you want to)
>> So many recent exploits have used Java as their attack vector, you
>> might conclude Java should be shown the exit
>> By Roger A. Grimes | InfoWorld
>>
>> Comments?
>
> If dumped something on finding the first security hole Windows would
> not have sold even one copy. JavaScript has no security at all. It
> does not even try.
JavaScript engine in a browser operates in a sandbox and has a
same origin policy. Which is not that far from Java applet model.
Arne
Arne Vajhøj
May 10, 2012, 8:20:00 PM5/10/12
to
On 5/8/2012 11:52 PM, markspace wrote:
Arne
Arne Vajhøj
May 10, 2012, 8:23:14 PM5/10/12
to
On 5/8/2012 11:54 PM, markspace wrote:
> On 5/8/2012 6:04 PM, Arne Vajhøj wrote:
>>
>> Java should automatically update these days.
>
> The article specifically mentions Apple, who didn't patch their own
> special version of Java for several months, until they got bit hard by a
> trojan or something.
Ah - the use of "Few successful Java-related attacks" made me think
> On 5/8/2012 6:04 PM, Arne Vajhøj wrote:
>>
>> Java should automatically update these days.
>
> The article specifically mentions Apple, who didn't patch their own
> special version of Java for several months, until they got bit hard by a
> trojan or something.
that it was general not specific to the MacOS X incident.
Auto update of course requires that there is a fix.
> Yes, Oracle's new version for the Mac does enable auto-updates. But
> there's enough old Java out there that I guess many don't have it.
Arne
Arne Vajhøj
May 10, 2012, 8:26:50 PM5/10/12
to
> Well, Grimes mentioned everything: Java apps as well as applets, users
> insisting on using old Java versions because they believe their apps
> need it [1], people not knowing what version they are running, unpatched
> Java etc. Which is why I seized the opportunity to bitch about insecure
> coding...which is ultimately the root of the problem anyway.
>
> But you're right, it's mostly defects in Java runtimes that Grimes is
> talking about.
>
> One point about the secure coding guidelines - let's not characterize
> that as "web app" coding. All those guidelines are about secure coding
> for Java, period. If I were a Java EE web app developer I'd read the Sun
> now Oracle secure coding guidelines for Java first, then something like
> OWASP.
Good point.
> insisting on using old Java versions because they believe their apps
> need it [1], people not knowing what version they are running, unpatched
> Java etc. Which is why I seized the opportunity to bitch about insecure
> coding...which is ultimately the root of the problem anyway.
>
> But you're right, it's mostly defects in Java runtimes that Grimes is
> talking about.
>
> One point about the secure coding guidelines - let's not characterize
> that as "web app" coding. All those guidelines are about secure coding
> for Java, period. If I were a Java EE web app developer I'd read the Sun
> now Oracle secure coding guidelines for Java first, then something like
> OWASP.
The advice are applicable to all types of apps.
Systems connected to the internet is just a bit more let us
say expected to be attacked.
Arne
BGB
May 10, 2012, 10:05:05 PM5/10/12
to
either security or dislike of banner ads, but rather, to reduce the
often severe browser lag caused occasionally by typically Flash-based
banner ads.
Message has been deleted
Bent C Dalager
May 11, 2012, 5:09:48 AM5/11/12
to
from the experience somewhat, but this does not automatically make it
a bad idea to do so. :-)
Personally, if someone expects me to spend my time on their website
they better provide a compelling reason for me to want to do so, and
gratuitous dependence on JS just puts me off. In general I consider it
a good early indicator of a terrible web designer: "You need JS to
click this link", right so this guy taught himself web design in his
own dreams.
Bent D.
--
Bent Dalager - b...@pvv.org - http://www.pvv.org/~bcd
powered by emacs
Gene Wirchenko
May 11, 2012, 12:41:02 PM5/11/12
to
On Fri, 11 May 2012 09:09:48 +0000 (UTC), Bent C Dalager
<b...@pvv.ntnu.no> wrote:
>On 2012-05-11, Arne Vajhøj <ar...@vajhoej.dk> wrote:
>> On 5/8/2012 11:52 PM, markspace wrote:
>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>
>>> Sure I often have to enable JS, but only after I've seen the site first.
>>> If it looks dodgy, I just leave. And often I can still click on a few
>>> links or read an article without JS. It's rare I'll enable JS if I just
>>> need one thing from a site.
>>
>> That does not sound as 2012 to me.
I decide on site use by something other than fashion.
<b...@pvv.ntnu.no> wrote:
>On 2012-05-11, Arne Vajhøj <ar...@vajhoej.dk> wrote:
>> On 5/8/2012 11:52 PM, markspace wrote:
>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>
>>> Sure I often have to enable JS, but only after I've seen the site first.
>>> If it looks dodgy, I just leave. And often I can still click on a few
>>> links or read an article without JS. It's rare I'll enable JS if I just
>>> need one thing from a site.
>>
>> That does not sound as 2012 to me.
There are many Websites that are not decked out in a fashionable
manner but that are very useful. I prefer them.
>I think it's generally well accepted that using protection may detract
>from the experience somewhat, but this does not automatically make it
>a bad idea to do so. :-)
>
>Personally, if someone expects me to spend my time on their website
>they better provide a compelling reason for me to want to do so, and
>gratuitous dependence on JS just puts me off. In general I consider it
>a good early indicator of a terrible web designer: "You need JS to
>click this link", right so this guy taught himself web design in his
>own dreams.
a gratuitous complexity bug (in the coder).
Sincerely,
Gene Wirchenko
javax.swing.JSnarker
May 12, 2012, 1:30:08 AM5/12/12
to
On 11/05/2012 12:41 PM, Gene Wirchenko wrote:
disable JS and force them to turn it on so they can be harassed with
annoying animated JS-reliant ads and crap.
Of course, Adblock Plus + enable JS and the user still gets the last laugh.
--
public final class JSnarker
extends JComponent
A JSnarker is an NNTP-aware component that asynchronously provides
snarky output when the Ego.needsPuncturing() event is fired in cljp.
> <b...@pvv.ntnu.no> wrote:
>> Personally, if someone expects me to spend my time on their website
>> they better provide a compelling reason for me to want to do so, and
>> gratuitous dependence on JS just puts me off. In general I consider it
>> a good early indicator of a terrible web designer: "You need JS to
>> click this link", right so this guy taught himself web design in his
>> own dreams.
>
> Exactly. Except that the JS-to-click design might also be due to
> a gratuitous complexity bug (in the coder).
I'm convinced that in most cases it's deliberate: punish users who
>> Personally, if someone expects me to spend my time on their website
>> they better provide a compelling reason for me to want to do so, and
>> gratuitous dependence on JS just puts me off. In general I consider it
>> a good early indicator of a terrible web designer: "You need JS to
>> click this link", right so this guy taught himself web design in his
>> own dreams.
>
> Exactly. Except that the JS-to-click design might also be due to
> a gratuitous complexity bug (in the coder).
disable JS and force them to turn it on so they can be harassed with
annoying animated JS-reliant ads and crap.
Of course, Adblock Plus + enable JS and the user still gets the last laugh.
--
public final class JSnarker
extends JComponent
A JSnarker is an NNTP-aware component that asynchronously provides
snarky output when the Ego.needsPuncturing() event is fired in cljp.
Sleepy the Dwarf
May 13, 2012, 8:40:48 AM5/13/12
to
On 12/05/2012 1:30 AM, javax.swing.JSnarker wrote:
> On 11/05/2012 12:41 PM, Gene Wirchenko wrote:
>> <b...@pvv.ntnu.no> wrote:
>>> Personally, if someone expects me to spend my time on their website
>>> they better provide a compelling reason for me to want to do so, and
>>> gratuitous dependence on JS just puts me off. In general I consider it
>>> a good early indicator of a terrible web designer: "You need JS to
>>> click this link", right so this guy taught himself web design in his
>>> own dreams.
>>
>> Exactly. Except that the JS-to-click design might also be due to
>> a gratuitous complexity bug (in the coder).
>
> I'm convinced that in most cases it's deliberate: punish users who
> disable JS and force them to turn it on so they can be harassed with
> annoying animated JS-reliant ads and crap.
And so they can be tracked!
> On 11/05/2012 12:41 PM, Gene Wirchenko wrote:
>> <b...@pvv.ntnu.no> wrote:
>>> Personally, if someone expects me to spend my time on their website
>>> they better provide a compelling reason for me to want to do so, and
>>> gratuitous dependence on JS just puts me off. In general I consider it
>>> a good early indicator of a terrible web designer: "You need JS to
>>> click this link", right so this guy taught himself web design in his
>>> own dreams.
>>
>> Exactly. Except that the JS-to-click design might also be due to
>> a gratuitous complexity bug (in the coder).
>
> I'm convinced that in most cases it's deliberate: punish users who
> disable JS and force them to turn it on so they can be harassed with
> annoying animated JS-reliant ads and crap.
Arne Vajhøj
May 20, 2012, 10:33:29 PM5/20/12
to
On 5/10/2012 11:27 PM, Stefan Ram wrote:
> browser with no fix yet, I read »in the meantime, one can
> disable JavaScript as a workaround«.
>
> Some years ago, I started to collect such reports as a
> proof. But then I ceased to collect more such reports,
> because I needed my time for other things. Thus, when my
> records are dated now, this does not mean that there are no
> more such reports today; I just do not collect them anymore.
> If I would have continued, the list would be very much longer.
> Having said this, here is a copy of a dated post of mine
> with regard to JavaScript security from about 2006. At its
> end, there is a long list of said reports.
[actual list omitted]
It is a long list.
But you can also find a long list for Java applets and Flash Player.
Even "not really executing code" plugins like AcrobatReader have
had security holes.
Arne
> Arne Vajhøj<ar...@vajhoej.dk> writes:
>> Maybe you should learn a bit about JavaScript before writing about it.
>
> It is just true that whenever there is a security hole in a
>> Maybe you should learn a bit about JavaScript before writing about it.
>
> browser with no fix yet, I read »in the meantime, one can
> disable JavaScript as a workaround«.
>
> Some years ago, I started to collect such reports as a
> proof. But then I ceased to collect more such reports,
> because I needed my time for other things. Thus, when my
> records are dated now, this does not mean that there are no
> more such reports today; I just do not collect them anymore.
> If I would have continued, the list would be very much longer.
> Having said this, here is a copy of a dated post of mine
> with regard to JavaScript security from about 2006. At its
> end, there is a long list of said reports.
[actual list omitted]
It is a long list.
But you can also find a long list for Java applets and Flash Player.
Even "not really executing code" plugins like AcrobatReader have
had security holes.
Arne
Arne Vajhøj
May 20, 2012, 10:35:35 PM5/20/12
to
On 5/11/2012 5:09 AM, Bent C Dalager wrote:
> On 2012-05-11, Arne Vajhøj<ar...@vajhoej.dk> wrote:
>> On 5/8/2012 11:52 PM, markspace wrote:
>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>
>>> Sure I often have to enable JS, but only after I've seen the site first.
>>> If it looks dodgy, I just leave. And often I can still click on a few
>>> links or read an article without JS. It's rare I'll enable JS if I just
>>> need one thing from a site.
>>
>> That does not sound as 2012 to me.
>
> I think it's generally well accepted that using protection may detract
> from the experience somewhat, but this does not automatically make it
> a bad idea to do so. :-)
Correct.
> On 2012-05-11, Arne Vajhøj<ar...@vajhoej.dk> wrote:
>> On 5/8/2012 11:52 PM, markspace wrote:
>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>
>>> Sure I often have to enable JS, but only after I've seen the site first.
>>> If it looks dodgy, I just leave. And often I can still click on a few
>>> links or read an article without JS. It's rare I'll enable JS if I just
>>> need one thing from a site.
>>
>> That does not sound as 2012 to me.
>
> I think it's generally well accepted that using protection may detract
> from the experience somewhat, but this does not automatically make it
> a bad idea to do so. :-)
> Personally, if someone expects me to spend my time on their website
> they better provide a compelling reason for me to want to do so, and
> gratuitous dependence on JS just puts me off. In general I consider it
> a good early indicator of a terrible web designer: "You need JS to
> click this link", right so this guy taught himself web design in his
> own dreams.
Considering AJAX heavy web sites to be terrible designed
it not exactly the trend seen on the web.
Arne
Arne Vajhøj
May 20, 2012, 10:37:28 PM5/20/12
to
On 5/11/2012 12:41 PM, Gene Wirchenko wrote:
> On Fri, 11 May 2012 09:09:48 +0000 (UTC), Bent C Dalager
> <b...@pvv.ntnu.no> wrote:
>
>> On 2012-05-11, Arne Vajhøj<ar...@vajhoej.dk> wrote:
>>> On 5/8/2012 11:52 PM, markspace wrote:
>>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>>
>>>> Sure I often have to enable JS, but only after I've seen the site first.
>>>> If it looks dodgy, I just leave. And often I can still click on a few
>>>> links or read an article without JS. It's rare I'll enable JS if I just
>>>> need one thing from a site.
>>>
>>> That does not sound as 2012 to me.
>
> I decide on site use by something other than fashion.
>
> There are many Websites that are not decked out in a fashionable
> manner but that are very useful. I prefer them.
That is your privilege.
> On Fri, 11 May 2012 09:09:48 +0000 (UTC), Bent C Dalager
> <b...@pvv.ntnu.no> wrote:
>
>> On 2012-05-11, Arne Vajhøj<ar...@vajhoej.dk> wrote:
>>> On 5/8/2012 11:52 PM, markspace wrote:
>>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>>
>>>> Sure I often have to enable JS, but only after I've seen the site first.
>>>> If it looks dodgy, I just leave. And often I can still click on a few
>>>> links or read an article without JS. It's rare I'll enable JS if I just
>>>> need one thing from a site.
>>>
>>> That does not sound as 2012 to me.
>
> I decide on site use by something other than fashion.
>
> There are many Websites that are not decked out in a fashionable
> manner but that are very useful. I prefer them.
Just be prepared that the share of web sites working without
JS will drop every year.
Arne
Gene Wirchenko
May 20, 2012, 11:25:54 PM5/20/12
to
On Sun, 20 May 2012 22:37:28 -0400, Arne Vajhøj <ar...@vajhoej.dk>
Websites that I find useful tend not to use JavaScript, then I do not
have to enable JavaScript very often. It does not matter to me if the
proportion of useful sites to non-useful sites is low. What matters
is the number of useful sites, and yes, I do find enough of them.
I have found that a Website requiring JavaScript for simple
functionality is a fairly good indication that the Website will not be
useful to me.
Sincerely,
Gene Wirchenko
wrote:
>On 5/11/2012 12:41 PM, Gene Wirchenko wrote:
>> On Fri, 11 May 2012 09:09:48 +0000 (UTC), Bent C Dalager
>> <b...@pvv.ntnu.no> wrote:
>>
>>> On 2012-05-11, Arne Vajhøj<ar...@vajhoej.dk> wrote:
>>>> On 5/8/2012 11:52 PM, markspace wrote:
>>>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>>>
>>>>> Sure I often have to enable JS, but only after I've seen the site first.
>>>>> If it looks dodgy, I just leave. And often I can still click on a few
>>>>> links or read an article without JS. It's rare I'll enable JS if I just
>>>>> need one thing from a site.
>>>>
>>>> That does not sound as 2012 to me.
>>
>> I decide on site use by something other than fashion.
>>
>> There are many Websites that are not decked out in a fashionable
>> manner but that are very useful. I prefer them.
>
>That is your privilege.
>
>Just be prepared that the share of web sites working without
>JS will drop every year.
I have not noticed that, but it really does not matter. If the
>On 5/11/2012 12:41 PM, Gene Wirchenko wrote:
>> On Fri, 11 May 2012 09:09:48 +0000 (UTC), Bent C Dalager
>> <b...@pvv.ntnu.no> wrote:
>>
>>> On 2012-05-11, Arne Vajhøj<ar...@vajhoej.dk> wrote:
>>>> On 5/8/2012 11:52 PM, markspace wrote:
>>>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>>>
>>>>> Sure I often have to enable JS, but only after I've seen the site first.
>>>>> If it looks dodgy, I just leave. And often I can still click on a few
>>>>> links or read an article without JS. It's rare I'll enable JS if I just
>>>>> need one thing from a site.
>>>>
>>>> That does not sound as 2012 to me.
>>
>> I decide on site use by something other than fashion.
>>
>> There are many Websites that are not decked out in a fashionable
>> manner but that are very useful. I prefer them.
>
>That is your privilege.
>
>Just be prepared that the share of web sites working without
>JS will drop every year.
Websites that I find useful tend not to use JavaScript, then I do not
have to enable JavaScript very often. It does not matter to me if the
proportion of useful sites to non-useful sites is low. What matters
is the number of useful sites, and yes, I do find enough of them.
I have found that a Website requiring JavaScript for simple
functionality is a fairly good indication that the Website will not be
useful to me.
Sincerely,
Gene Wirchenko
Bent C Dalager
May 21, 2012, 3:26:59 PM5/21/12
to
What I do find striking is that this is 2012, more than 15 years after
HTML had standardised forms (<input>, HTML 2.0 I believe) and they are
/still/ playing catch-up to the established GUI frameworks such as
Motif, Windows, etc. Tab order, menu and tool bars, hotkeys/shortcuts,
i18n, layout, drag and drop, list selection: mostly a hodge podge of
what the developer chanced upon in some library somewhere and what he
could be bothered to hack together himself. Just such a simple matter
as standardising how to handle the browser's "Back" button in a web
app – cutting edge rocket science, it would seem.
Usually a new technology is reasonably mature after ten years, but
getting a proper GUI on web pages is taking forever.
(Yes, I sometimes do turn on JavaScript. :D)
Cheers,
Bent C Dalager
May 21, 2012, 3:31:47 PM5/21/12
to
> Just be prepared that the share of web sites working without
> JS will drop every year.
This is unlikely to become an actual problem before AJAX has proper
> JS will drop every year.
support (that developers actually /use/) for accessibility options
required by law.
And once that is in place, maybe GUI on web pages is finally mature
anyway.
Cheers,
Bent D
Kev Warren
May 21, 2012, 5:36:05 PM5/21/12
to
On 21/05/2012 3:26 PM, Bent C Dalager wrote:
> Usually a new technology is reasonably mature after ten years, but
> getting a proper GUI on web pages is taking forever.
I thought you hated GUIs and refused to use any UI more advanced than a
> Usually a new technology is reasonably mature after ten years, but
> getting a proper GUI on web pages is taking forever.
screen-oriented console mode one such as a Unix shell, vi, or emacs?
0 new messages