You just moved from 'javascript is broken' to 'the entire internet is broken'. That's fine, and there are a select few others who think that way too. I also know somebody who thinks the moon is made of cheese. It's a logical fallacy to claim that something must be true because you're not the only crackpot out there.
> [snip theoretic rant about less-than-perfect SSL certificate implementations > and third party libraries] Same applies to any other library you use in any other environment. Most libraries loaded cross-browser can be deployed locally as well and yet a vast array of web authors, including many who are extremely security conscious, decide to load from a site they trust. Security isn't about painting absolutist horrorshows. It's about pragmatism. Furthermore, your rant is just ridiculous. You're complaining about the lack of a thorough key infrastructure surrounding browser-based apps. This in contrast to applications for the desktop that you download and run, that offer absolutely zero security, and on Windows XP, give instant root access to the one doing the download+install. So, if the web is fundamentally broken because of this, then you must be consistent and say that desktop apps are even more broken than that. Sure, some very rarely used platforms seem to have pretty good security infrastructure, but how do you really know? SSL seemed utterly unbeatable for 2 decades until recently when it was seriously damaged. 2 decades. That's an amazing security record. It's also getting fixed, more or less (and no doubt that fix will eventually be compromised; security is an ongoing process). If java app signing manages to survive unharmed for 2 decades even under the scrutiny something as popular and ubiquitous as the web, I'll eat my shoes. In regards to gmail, I'm guessing you're referring to me. Stop putting words in my mouth; I claimed that the gmail interface is the best for reading mail, hands down. I did not say that everyone should be using it. As this thread hijack originally started when fabrizio basically suggested that web apps are no good because you can't build good UI in them, I showed that as an example: In practice, many web apps have far better UI than desktop apps. I have absolutely no idea why you are ranting about privacy here, it has zero relationship to UI design. Sharing email between terminals is a fundamental utility feature of any mail infrastructure, which usually means that people, even those that use Mail.app or thunderbird, use IMAP and leave their email _ON A SERVER_. Even if they didn't, email is never delivered straight to your home computer via a signed certificate, so if you are google- paranoid, then the fact that you use email at all indicates you don't understand the first thing about the entire concept of mail. This is a solid example of why I so thoroughly dislike your rants; you just grab on to a random internet complaint and use it to prove a point, even though the very thing you're clinging to is as bad or worse in the desktop world. Thus, you're literally ranting: You're painting pretty pictures of better worlds without stopping to think that these utopias you are painting do not exist anywhere. Faulting one party in a wide array (web apps, vs. flash, javafx, desktop apps, win32, cocoa, etc, etc) for faults they all have is silly. On Dec 23, 5:27 pm, Ryan Waterer <[email protected]> wrote: > I agree that taking the stance "fundamentally broken" is harsh. > However, I am not the one that came up with this stance, nor am I the > only one that thinks this way. In fact, more and more are even > taking the stance that the Browser model as it exists today is > fundamentally flawed. > See comments/podcasts/DEFCON talks by security experts such as Moxie > Marlinspike, Steve Gibson, Dan Kaminski etc. > > I agree that I misspoke. I said software and yes, JavaScript is a > programming language. With the additions of JQuery, Google Analytics, > DOJO, YUI, and other tools that you can simply plug into a web site > without much knowledge, I feel that at times JavaScript is more of a > software tool than a programming language. (This is no way diminishes > the heroic effort of those creating such fantastic tools/libraries for > our use!) > > As far as claiming it is fundamentally flawed - If you look at top > tech site such as TechCrunch, they import quite a few different > JavaScript plugins from other websites (google analytics, double > click, google syndication, snap.com, etc). If a hacker can compromise > just one of those imported scripts, they now own the entire page. > Imagine if you were able to take over googleanalytics code and insert > something dire. There are no MD5s of the code. There are no hash > sets of the code. Any web site simply loads the updated code and all > of a sudden the hacker (or you) now have control of thousands or > millions of web sites. Another part of the issue is that JavaScript > being loaded from HTTPS will not protect you either; there is no > protocol on how this should be done and each browser handles it > differently. Currently, they all will allow users to load JavaScript > from expired or invalid SSL certificates. So, with the above, I'll > amend my statement to the following: I believe that as it exists > today, JavaScript is fundamentally flawed when specifically dealing > with security. > > I only brought up Eric Schmidt since I felt it was relevant to that > point in the discussion. A reader in here had indicated that they > felt everyone should be on Google Mail, and I believe Fabrizio > indicated he didn't trust putting his data on the internet. Given the > position that Eric has within Google, I felt it quite appropriate to > help Frabrizio in the point that he was making. > > I'd be quite happy to continue the discussion, but I am not sure > others would want to. Therefore, I'll limit my viewpoints and > thoughts to the above until I'm suckered in for more. ;) > > --Ryan > > > > On Tue, Dec 22, 2009 at 7:28 PM, Reinier Zwitserloot <[email protected]> > wrote: > > "Fundamentally, javascript is a broken piece of software"? > > > Don't be daft. > > > It's not software, it's a programming language. The web in general > > suffers from many security issues. So does: > > > - flash > > - SSL (which has been seriously beaten in the past year) > > - JVMs in the browser, in various ways, at various times. > > - browsers themselves with various buffer overflows unrelated to > > javascript > > > Calling javascript fundamentally broken is a stupid thing to say > > unless you follow through and also call applets, SSL, all browsers, > > and flash fundamentally broken as well. That wouldn't be an > > inconsistent viewpoint if you really ascribed to it, but I doubt > > anyone is going to take you seriously if you espouse it. > > >> [snip rant on privacy] > > > Yes, privacy is an issue. Yes, Eric Schmidt's view on privacy makes > > him a dangerous and hypocritical idiot. I don't understand what this > > has to do with the web. If you mean that the entirety of the web was a > > bad idea - you can, but know that standing in the way of technological > > prowess like an old grandfather yelling at kids to stay off the lawn > > has never once worked in the history of mankind. > > > On Dec 22, 9:14 pm, Ryan Waterer <[email protected]> wrote: > >> We have definitely gotten off topic! > > >> This is something that I've become much more passionate about in the > >> last couple of years, and I appreciate Fabrizio for his viewpoints. > >> We, as a group, tend to enjoy the newest features, the newest toys and > >> worry more about the time to deploy, stability and functionality than > >> security and privacy. > > >> Fundamentally, JavaScript is a broken piece of software. Java Script > >> is the primary culprit for most web based attacks. If we look at > >> Adobe, the primary reason why Reader has so many updates and security > >> holes is simply due to adding JavaScript into the Adobe Reader. There > >> are many hacks, workaround and policies that have been invented in the > >> last 14 or so years to sidestep the vulnerabilities of JavaScript and > >> mitigate the possible damages. I don't believe that there is a need > >> to go into this right now; a Google search will come up with pages and > >> pages of examples of both attacks and defenses. > > >> I've been consulting off and on for a few local lawyers and I've told > >> each of them to get off of google mail. While this may seem strange > >> to many people, the privacy of a lawyer and their discussions is > >> paramount. While Google Mail does offer many strengths, they are an > >> easy target for legal subpoena of all of your email content. This > >> also has been well documented in Google's privacy policy as well as > >> online. (Yes, I understand the risks of a hosting a private email > >> server as well) > > >> Recently, Eric Schmidt has come under fire for his views on privacy on > >> the internet as > >> well.http://www.pcworld.com/article/184446/googles_schmidt_roasted_for_pri... > > >> FaceBook has recently come under a lot of fire for their privacy > >> policy changes. From appearances, it looks like they're trying to > >> scale up and in essence going to sell your data to do so. > > >> Please note, I love what Google is doing with their products. They are > >> really pushing the envelope as to how we interact with each other, > >> data, and also computers. As with Fabrizio, I just don't trust them > >> to store all of my data in a secure, private way. I've hesitated to > >> really start using products such as Google Voice, Google Mail, Wave, > >> etc. due to that lack of trust. I don't want to be a tin-foil wearing > >> psychopath, and yet, there are so many examples of why I should be! > > >> Now, back on topic: > > >> I love NetBeans, and I'm trying to incorporate it more into my daily > >> life. However, I find that Eclipse just does some things better than > >> NetBeans. As with others, I wish we could have a good melting of the > >> best of NetBeans, and the best of Eclipse. > > >> --Ryan > > >> On Tue, Dec 22, 2009 at 11:15 AM, [email protected] > > >> <[email protected]> wrote: > >> >> Why on earth would I want to sort my inbox?! > >> >> I have search, which is powerful and fast. There is no > >> >> need for tidy email management. This of course is one of > > >> > Perhaps because the mess reflects the mess in organizing my > >> > life :-) I tend to do things related to interaction with > >> > others (ranging from paid jobs to supporting open source > >> > projects to paying taxes) in email-driven mails, by properly > >> > tagging. This happens 80%+ of my emails, that get properly > >> > collected in folders, but not for the remaining ones. On one > >> > side I'm just involved in too many things, so I always lack > >> > large portions of time, on the other I have to improve my > >> > efficiency. I've been suggested to read the book "Getting > >> > things done", but so far I haven't found the time to do it > >> > :-) > > >> >> Gmail's great strength. I don't want to be rude but I > >> >> think you should try something before writing it off, > >> >> probably true for facebook as well. > > >> > No rudeness, instead I'm always thankful for advice. But > >> > Thunderbird basic concepts are ok for me (tags and > >> > searches). And as I said, even though GMail was so better, I > >> > don't want to put all my stuff in the hands of Google (I'm > >> > always puzzled when I see people complaining for yet another > >> > camera at the airport check in, and then put all their > >> > digital life in other's hands). > > >> > For FaceBook, I've already expressed my thoughts two years > >> > ago: > >> >http://weblogs.java.net/blog/2008/02/15/officially-i-hate-social-netw... > > >> > It just sounds as FaceBook incarnates the opposite of my > >> > life style. > > >> > -- > >> > Fabrizio Giudici > > >> > -- > >> > Fabrizio Giudici, Ph.D. - Java Architect, Project Manager > >> > Tidalwave s.a.s. - "We make Java work. Everywhere." > >> > weblogs.java.net/blog/fabriziogiudici - > >> >www.tidalwave.it/blog > >> > [email protected] - mobile: +39 348.150.6941 > > >> > -- > > >> > You received this message because you are subscribed to the Google > >> > Groups "The Java Posse" group. > >> > To post to this group, send email to [email protected]. > >> > To unsubscribe from this group, send email to > >> > [email protected]. > >> > For more options, visit this group > >> > athttp://groups.google.com/group/javaposse?hl=en. > > > -- > > > You received this message because you are subscribed to the Google Groups > > "The Java Posse" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/javaposse?hl=en. -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
