Reinier, You're a very passionate person and have a lot to provide to the group; which I am glad that you do.
>From your response, I believe that I'm not communicating very clearly in this discussion, and I apologize for that. In this response, I will try and be more thorough. I will attempt to leave out places where assumptions can be made about my position, or my intention. Earlier you had mentioned that if I take a particular stance, I'd be mocked for that stance since I would be alone. I responded with some examples of others who would take the same stance or something very similar, and now you say I'm performing a logical fallacy for doing so. If I am, I do apologize for the misunderstanding of trying to provide some examples instead of speaking crap from my ass. :) I do not claim to be the brightest, nor the smartest, nor even most proficient among us. From the discussions that I've watched from the sidelines, I believe that you understand many things in much more depth than I do. The intention of my original "rant" was simply to bring up a point that is rarely, if ever discussed in this group: privacy and security. I might be incorrect and everyone in this group would know about what you and I are discussing, and therefore, our discussion really isn't informing anyone. From the sidelines, and with the assistance of the lack of proper communication through email, Fabrizio was appearing to be mocked for his views on privacy, and the reasons why he didn't want to trust Google or the internet with all his data. I wanted to show some points indicating he's not alone in his viewpoints. Clearly, I've gone beyond that and went to the point of offending you. This was not my intention. Vince Cerf has indicated that there is a problem with the way the internet works regarding security. Quite frankly, I will gladly refer to him and other experts on the subject. I'll attempt to be much more clear this time around; even though there is a problem with security, it does not mean that the internet can not or will not continue to work as it is. In a security sense, it is fundamentally flawed, and needs to be improved. I agree with your statement about security being an evolutionary process, and one doesn't know they have a security issue until they have been hacked or until a PoC has been demonstrated. Despite what you assumed, I do understand how email works, and how the internet works. By the mere process of typing and sending this email through the internet, I'm touching 14 different routers. While impractical, each one could be siphoning off the data and storing it somewhere. If I was that paranoid about my data being online I simply wouldn't be online. We can not be online without something being stored somewhere for an unknown amount of time. Could be as simple as an IP address logged, or as crazy as everything being sucked into logs (AT&T secret room as an example). If I was that paranoid, I wouldn't carry a modern cell phone, or drive a modern car. I am not saying that I can not use the internet, or anyone use it. I'm just trying to say that there are flaws. I use Gmail. I use many Google products -- as I mentioned earlier, I love what they are doing, and how they are pushing the envelope. What I do not like is that the CEO of Google making absurd privacy and security statements. I don't want to trust Google with all my data. So many things in our lives make it much, much easier to live our lives, and to communicate across vast distances with friends, enemies and acquaintances. However, those same benefits to our lives reduce our privacy and often our security, and can cause more problems. I am a developer; I have worked in a different environments and I have seen few companies treat security and privacy as a priority. It is not a leap of faith to realize that businesses are more concerned about getting a product out of the door or an upgrade than to create a secure experience that deals with data appropriately. In fact, each company that I have worked for has essentially refused to encrypt socials, and stores them as readable text in a database. One can look at the number of government laptops sold on eBay in the last year (US, UK, and others) that have had social security numbers or credit card numbers still on the laptops, and understand that my personal experiences are not the exception, but most likely the rule. This last year, we have also discovered that possibly the Chinese government infiltrated the Dalai Lama network through a very easy security hole. The United States Government lost the plans to its top-secret new plane still in development. I understand that each attack was done in a different way, and through a different security flaw. My point here is just simply that we all have reasons to be at least concerned about who is collecting our data and how they are storing it given the practices of developers and the policies of companies that employ them. Instead of going back and forth over whether I'm clinically insane, frothing at the mouth, or should constantly wear a tin foil hat, I'd love to discuss more about what people do to help secure applications. What good experiences have people had regarding these issues? What steps have the people here done to protect data? What can we do individually or collectively as a group to talk about these issues without coming across as a blathering idiot? Am I the only one in this group that cares? I really would like to know more about how people approach this. Would this be better served as a discussion point regarding best practices at the roundup 2010 in Crested Butte? P.S. SSL has been broken before, and subsequently fixed. In 1996, SSL was updated from 2.0 to 3.0 to fix several security flaws (1.0 was not released). TLS 1.1 was introduced after TLS 1.0 (upgrade to SSL 3.0) to fix an attack vector on SSL. SSL in the last 6-10 months has been horribly beaten up, and completely broken under certain attack vectors. It is indeed much worse than ever before, with at least some, if not many real world attacks. --Ryan On Wed, Dec 23, 2009 at 2:05 PM, Reinier Zwitserloot <[email protected]> wrote: > You just moved from 'javascript is broken' to 'the entire internet is > broken'. That's fine, and there are a select few others who think that > way too. I also know somebody who thinks the moon is made of cheese. > It's a logical fallacy to claim that something must be true because > you're not the only crackpot out there. > >> [snip theoretic rant about less-than-perfect SSL certificate implementations >> and third party libraries] > > Same applies to any other library you use in any other environment. > Most libraries loaded cross-browser can be deployed locally as well > and yet a vast array of web authors, including many who are extremely > security conscious, decide to load from a site they trust. Security > isn't about painting absolutist horrorshows. It's about pragmatism. > > Furthermore, your rant is just ridiculous. You're complaining about > the lack of a thorough key infrastructure surrounding browser-based > apps. This in contrast to applications for the desktop that you > download and run, that offer absolutely zero security, and on Windows > XP, give instant root access to the one doing the download+install. > So, if the web is fundamentally broken because of this, then you must > be consistent and say that desktop apps are even more broken than > that. Sure, some very rarely used platforms seem to have pretty good > security infrastructure, but how do you really know? SSL seemed > utterly unbeatable for 2 decades until recently when it was seriously > damaged. 2 decades. That's an amazing security record. It's also > getting fixed, more or less (and no doubt that fix will eventually be > compromised; security is an ongoing process). If java app signing > manages to survive unharmed for 2 decades even under the scrutiny > something as popular and ubiquitous as the web, I'll eat my shoes. > > In regards to gmail, I'm guessing you're referring to me. Stop putting > words in my mouth; I claimed that the gmail interface is the best for > reading mail, hands down. I did not say that everyone should be using > it. As this thread hijack originally started when fabrizio basically > suggested that web apps are no good because you can't build good UI in > them, I showed that as an example: In practice, many web apps have far > better UI than desktop apps. I have absolutely no idea why you are > ranting about privacy here, it has zero relationship to UI design. > Sharing email between terminals is a fundamental utility feature of > any mail infrastructure, which usually means that people, even those > that use Mail.app or thunderbird, use IMAP and leave their email _ON A > SERVER_. Even if they didn't, email is never delivered straight to > your home computer via a signed certificate, so if you are google- > paranoid, then the fact that you use email at all indicates you don't > understand the first thing about the entire concept of mail. This is a > solid example of why I so thoroughly dislike your rants; you just grab > on to a random internet complaint and use it to prove a point, even > though the very thing you're clinging to is as bad or worse in the > desktop world. Thus, you're literally ranting: You're painting pretty > pictures of better worlds without stopping to think that these utopias > you are painting do not exist anywhere. Faulting one party in a wide > array (web apps, vs. flash, javafx, desktop apps, win32, cocoa, etc, > etc) for faults they all have is silly. > > On Dec 23, 5:27 pm, Ryan Waterer <[email protected]> wrote: >> I agree that taking the stance "fundamentally broken" is harsh. >> However, I am not the one that came up with this stance, nor am I the >> only one that thinks this way. In fact, more and more are even >> taking the stance that the Browser model as it exists today is >> fundamentally flawed. >> See comments/podcasts/DEFCON talks by security experts such as Moxie >> Marlinspike, Steve Gibson, Dan Kaminski etc. >> >> I agree that I misspoke. I said software and yes, JavaScript is a >> programming language. With the additions of JQuery, Google Analytics, >> DOJO, YUI, and other tools that you can simply plug into a web site >> without much knowledge, I feel that at times JavaScript is more of a >> software tool than a programming language. (This is no way diminishes >> the heroic effort of those creating such fantastic tools/libraries for >> our use!) >> >> As far as claiming it is fundamentally flawed - If you look at top >> tech site such as TechCrunch, they import quite a few different >> JavaScript plugins from other websites (google analytics, double >> click, google syndication, snap.com, etc). If a hacker can compromise >> just one of those imported scripts, they now own the entire page. >> Imagine if you were able to take over googleanalytics code and insert >> something dire. There are no MD5s of the code. There are no hash >> sets of the code. Any web site simply loads the updated code and all >> of a sudden the hacker (or you) now have control of thousands or >> millions of web sites. Another part of the issue is that JavaScript >> being loaded from HTTPS will not protect you either; there is no >> protocol on how this should be done and each browser handles it >> differently. Currently, they all will allow users to load JavaScript >> from expired or invalid SSL certificates. So, with the above, I'll >> amend my statement to the following: I believe that as it exists >> today, JavaScript is fundamentally flawed when specifically dealing >> with security. >> >> I only brought up Eric Schmidt since I felt it was relevant to that >> point in the discussion. A reader in here had indicated that they >> felt everyone should be on Google Mail, and I believe Fabrizio >> indicated he didn't trust putting his data on the internet. Given the >> position that Eric has within Google, I felt it quite appropriate to >> help Frabrizio in the point that he was making. >> >> I'd be quite happy to continue the discussion, but I am not sure >> others would want to. Therefore, I'll limit my viewpoints and >> thoughts to the above until I'm suckered in for more. ;) >> >> --Ryan >> >> >> >> On Tue, Dec 22, 2009 at 7:28 PM, Reinier Zwitserloot <[email protected]> >> wrote: >> > "Fundamentally, javascript is a broken piece of software"? >> >> > Don't be daft. >> >> > It's not software, it's a programming language. The web in general >> > suffers from many security issues. So does: >> >> > - flash >> > - SSL (which has been seriously beaten in the past year) >> > - JVMs in the browser, in various ways, at various times. >> > - browsers themselves with various buffer overflows unrelated to >> > javascript >> >> > Calling javascript fundamentally broken is a stupid thing to say >> > unless you follow through and also call applets, SSL, all browsers, >> > and flash fundamentally broken as well. That wouldn't be an >> > inconsistent viewpoint if you really ascribed to it, but I doubt >> > anyone is going to take you seriously if you espouse it. >> >> >> [snip rant on privacy] >> >> > Yes, privacy is an issue. Yes, Eric Schmidt's view on privacy makes >> > him a dangerous and hypocritical idiot. I don't understand what this >> > has to do with the web. If you mean that the entirety of the web was a >> > bad idea - you can, but know that standing in the way of technological >> > prowess like an old grandfather yelling at kids to stay off the lawn >> > has never once worked in the history of mankind. >> >> > On Dec 22, 9:14 pm, Ryan Waterer <[email protected]> wrote: >> >> We have definitely gotten off topic! >> >> >> This is something that I've become much more passionate about in the >> >> last couple of years, and I appreciate Fabrizio for his viewpoints. >> >> We, as a group, tend to enjoy the newest features, the newest toys and >> >> worry more about the time to deploy, stability and functionality than >> >> security and privacy. >> >> >> Fundamentally, JavaScript is a broken piece of software. Java Script >> >> is the primary culprit for most web based attacks. If we look at >> >> Adobe, the primary reason why Reader has so many updates and security >> >> holes is simply due to adding JavaScript into the Adobe Reader. There >> >> are many hacks, workaround and policies that have been invented in the >> >> last 14 or so years to sidestep the vulnerabilities of JavaScript and >> >> mitigate the possible damages. I don't believe that there is a need >> >> to go into this right now; a Google search will come up with pages and >> >> pages of examples of both attacks and defenses. >> >> >> I've been consulting off and on for a few local lawyers and I've told >> >> each of them to get off of google mail. While this may seem strange >> >> to many people, the privacy of a lawyer and their discussions is >> >> paramount. While Google Mail does offer many strengths, they are an >> >> easy target for legal subpoena of all of your email content. This >> >> also has been well documented in Google's privacy policy as well as >> >> online. (Yes, I understand the risks of a hosting a private email >> >> server as well) >> >> >> Recently, Eric Schmidt has come under fire for his views on privacy on >> >> the internet as >> >> well.http://www.pcworld.com/article/184446/googles_schmidt_roasted_for_pri... >> >> >> FaceBook has recently come under a lot of fire for their privacy >> >> policy changes. From appearances, it looks like they're trying to >> >> scale up and in essence going to sell your data to do so. >> >> >> Please note, I love what Google is doing with their products. They are >> >> really pushing the envelope as to how we interact with each other, >> >> data, and also computers. As with Fabrizio, I just don't trust them >> >> to store all of my data in a secure, private way. I've hesitated to >> >> really start using products such as Google Voice, Google Mail, Wave, >> >> etc. due to that lack of trust. I don't want to be a tin-foil wearing >> >> psychopath, and yet, there are so many examples of why I should be! >> >> >> Now, back on topic: >> >> >> I love NetBeans, and I'm trying to incorporate it more into my daily >> >> life. However, I find that Eclipse just does some things better than >> >> NetBeans. As with others, I wish we could have a good melting of the >> >> best of NetBeans, and the best of Eclipse. >> >> >> --Ryan >> >> >> On Tue, Dec 22, 2009 at 11:15 AM, [email protected] >> >> >> <[email protected]> wrote: >> >> >> Why on earth would I want to sort my inbox?! >> >> >> I have search, which is powerful and fast. There is no >> >> >> need for tidy email management. This of course is one of >> >> >> > Perhaps because the mess reflects the mess in organizing my >> >> > life :-) I tend to do things related to interaction with >> >> > others (ranging from paid jobs to supporting open source >> >> > projects to paying taxes) in email-driven mails, by properly >> >> > tagging. This happens 80%+ of my emails, that get properly >> >> > collected in folders, but not for the remaining ones. On one >> >> > side I'm just involved in too many things, so I always lack >> >> > large portions of time, on the other I have to improve my >> >> > efficiency. I've been suggested to read the book "Getting >> >> > things done", but so far I haven't found the time to do it >> >> > :-) >> >> >> >> Gmail's great strength. I don't want to be rude but I >> >> >> think you should try something before writing it off, >> >> >> probably true for facebook as well. >> >> >> > No rudeness, instead I'm always thankful for advice. But >> >> > Thunderbird basic concepts are ok for me (tags and >> >> > searches). And as I said, even though GMail was so better, I >> >> > don't want to put all my stuff in the hands of Google (I'm >> >> > always puzzled when I see people complaining for yet another >> >> > camera at the airport check in, and then put all their >> >> > digital life in other's hands). >> >> >> > For FaceBook, I've already expressed my thoughts two years >> >> > ago: >> >> >http://weblogs.java.net/blog/2008/02/15/officially-i-hate-social-netw... >> >> >> > It just sounds as FaceBook incarnates the opposite of my >> >> > life style. >> >> >> > -- >> >> > Fabrizio Giudici >> >> >> > -- >> >> > Fabrizio Giudici, Ph.D. - Java Architect, Project Manager >> >> > Tidalwave s.a.s. - "We make Java work. Everywhere." >> >> > weblogs.java.net/blog/fabriziogiudici - >> >> >www.tidalwave.it/blog >> >> > [email protected] - mobile: +39 348.150.6941 >> >> >> > -- >> >> >> > You received this message because you are subscribed to the Google >> >> > Groups "The Java Posse" group. >> >> > To post to this group, send email to [email protected]. >> >> > To unsubscribe from this group, send email to >> >> > [email protected]. >> >> > For more options, visit this group >> >> > athttp://groups.google.com/group/javaposse?hl=en. >> >> > -- >> >> > You received this message because you are subscribed to the Google Groups >> > "The Java Posse" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/javaposse?hl=en. > > -- > > You received this message because you are subscribed to the Google Groups > "The Java Posse" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/javaposse?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
