I agree that taking the stance "fundamentally broken" is harsh. However, I am not the one that came up with this stance, nor am I the only one that thinks this way. In fact, more and more are even taking the stance that the Browser model as it exists today is fundamentally flawed. See comments/podcasts/DEFCON talks by security experts such as Moxie Marlinspike, Steve Gibson, Dan Kaminski etc.
I agree that I misspoke. I said software and yes, JavaScript is a programming language. With the additions of JQuery, Google Analytics, DOJO, YUI, and other tools that you can simply plug into a web site without much knowledge, I feel that at times JavaScript is more of a software tool than a programming language. (This is no way diminishes the heroic effort of those creating such fantastic tools/libraries for our use!) As far as claiming it is fundamentally flawed - If you look at top tech site such as TechCrunch, they import quite a few different JavaScript plugins from other websites (google analytics, double click, google syndication, snap.com, etc). If a hacker can compromise just one of those imported scripts, they now own the entire page. Imagine if you were able to take over googleanalytics code and insert something dire. There are no MD5s of the code. There are no hash sets of the code. Any web site simply loads the updated code and all of a sudden the hacker (or you) now have control of thousands or millions of web sites. Another part of the issue is that JavaScript being loaded from HTTPS will not protect you either; there is no protocol on how this should be done and each browser handles it differently. Currently, they all will allow users to load JavaScript from expired or invalid SSL certificates. So, with the above, I'll amend my statement to the following: I believe that as it exists today, JavaScript is fundamentally flawed when specifically dealing with security. I only brought up Eric Schmidt since I felt it was relevant to that point in the discussion. A reader in here had indicated that they felt everyone should be on Google Mail, and I believe Fabrizio indicated he didn't trust putting his data on the internet. Given the position that Eric has within Google, I felt it quite appropriate to help Frabrizio in the point that he was making. I'd be quite happy to continue the discussion, but I am not sure others would want to. Therefore, I'll limit my viewpoints and thoughts to the above until I'm suckered in for more. ;) --Ryan On Tue, Dec 22, 2009 at 7:28 PM, Reinier Zwitserloot <[email protected]> wrote: > "Fundamentally, javascript is a broken piece of software"? > > Don't be daft. > > It's not software, it's a programming language. The web in general > suffers from many security issues. So does: > > - flash > - SSL (which has been seriously beaten in the past year) > - JVMs in the browser, in various ways, at various times. > - browsers themselves with various buffer overflows unrelated to > javascript > > > Calling javascript fundamentally broken is a stupid thing to say > unless you follow through and also call applets, SSL, all browsers, > and flash fundamentally broken as well. That wouldn't be an > inconsistent viewpoint if you really ascribed to it, but I doubt > anyone is going to take you seriously if you espouse it. > >> [snip rant on privacy] > > Yes, privacy is an issue. Yes, Eric Schmidt's view on privacy makes > him a dangerous and hypocritical idiot. I don't understand what this > has to do with the web. If you mean that the entirety of the web was a > bad idea - you can, but know that standing in the way of technological > prowess like an old grandfather yelling at kids to stay off the lawn > has never once worked in the history of mankind. > > > > > > On Dec 22, 9:14 pm, Ryan Waterer <[email protected]> wrote: >> We have definitely gotten off topic! >> >> This is something that I've become much more passionate about in the >> last couple of years, and I appreciate Fabrizio for his viewpoints. >> We, as a group, tend to enjoy the newest features, the newest toys and >> worry more about the time to deploy, stability and functionality than >> security and privacy. >> >> Fundamentally, JavaScript is a broken piece of software. Java Script >> is the primary culprit for most web based attacks. If we look at >> Adobe, the primary reason why Reader has so many updates and security >> holes is simply due to adding JavaScript into the Adobe Reader. There >> are many hacks, workaround and policies that have been invented in the >> last 14 or so years to sidestep the vulnerabilities of JavaScript and >> mitigate the possible damages. I don't believe that there is a need >> to go into this right now; a Google search will come up with pages and >> pages of examples of both attacks and defenses. >> >> I've been consulting off and on for a few local lawyers and I've told >> each of them to get off of google mail. While this may seem strange >> to many people, the privacy of a lawyer and their discussions is >> paramount. While Google Mail does offer many strengths, they are an >> easy target for legal subpoena of all of your email content. This >> also has been well documented in Google's privacy policy as well as >> online. (Yes, I understand the risks of a hosting a private email >> server as well) >> >> Recently, Eric Schmidt has come under fire for his views on privacy on >> the internet as >> well.http://www.pcworld.com/article/184446/googles_schmidt_roasted_for_pri... >> >> FaceBook has recently come under a lot of fire for their privacy >> policy changes. From appearances, it looks like they're trying to >> scale up and in essence going to sell your data to do so. >> >> Please note, I love what Google is doing with their products. They are >> really pushing the envelope as to how we interact with each other, >> data, and also computers. As with Fabrizio, I just don't trust them >> to store all of my data in a secure, private way. I've hesitated to >> really start using products such as Google Voice, Google Mail, Wave, >> etc. due to that lack of trust. I don't want to be a tin-foil wearing >> psychopath, and yet, there are so many examples of why I should be! >> >> Now, back on topic: >> >> I love NetBeans, and I'm trying to incorporate it more into my daily >> life. However, I find that Eclipse just does some things better than >> NetBeans. As with others, I wish we could have a good melting of the >> best of NetBeans, and the best of Eclipse. >> >> --Ryan >> >> On Tue, Dec 22, 2009 at 11:15 AM, [email protected] >> >> >> >> <[email protected]> wrote: >> >> Why on earth would I want to sort my inbox?! >> >> I have search, which is powerful and fast. There is no >> >> need for tidy email management. This of course is one of >> >> > Perhaps because the mess reflects the mess in organizing my >> > life :-) I tend to do things related to interaction with >> > others (ranging from paid jobs to supporting open source >> > projects to paying taxes) in email-driven mails, by properly >> > tagging. This happens 80%+ of my emails, that get properly >> > collected in folders, but not for the remaining ones. On one >> > side I'm just involved in too many things, so I always lack >> > large portions of time, on the other I have to improve my >> > efficiency. I've been suggested to read the book "Getting >> > things done", but so far I haven't found the time to do it >> > :-) >> >> >> Gmail's great strength. I don't want to be rude but I >> >> think you should try something before writing it off, >> >> probably true for facebook as well. >> >> > No rudeness, instead I'm always thankful for advice. But >> > Thunderbird basic concepts are ok for me (tags and >> > searches). And as I said, even though GMail was so better, I >> > don't want to put all my stuff in the hands of Google (I'm >> > always puzzled when I see people complaining for yet another >> > camera at the airport check in, and then put all their >> > digital life in other's hands). >> >> > For FaceBook, I've already expressed my thoughts two years >> > ago: >> >http://weblogs.java.net/blog/2008/02/15/officially-i-hate-social-netw... >> >> > It just sounds as FaceBook incarnates the opposite of my >> > life style. >> >> > -- >> > Fabrizio Giudici >> >> > -- >> > Fabrizio Giudici, Ph.D. - Java Architect, Project Manager >> > Tidalwave s.a.s. - "We make Java work. Everywhere." >> > weblogs.java.net/blog/fabriziogiudici - >> >www.tidalwave.it/blog >> > [email protected] - mobile: +39 348.150.6941 >> >> > -- >> >> > You received this message because you are subscribed to the Google Groups >> > "The Java Posse" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/javaposse?hl=en. > > -- > > You received this message because you are subscribed to the Google Groups > "The Java Posse" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/javaposse?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
