Bernd Schoeller wrote: > On Wed, Jul 13, 2005 at 04:16:10PM +0700, Neta wrote: >> If your conclusion is right. Why so many internet banking used it? >> Do you have any real experiences with your box? > > Since 9/11, we all should know the difference between an 'abstract > threat' and a 'concrete threat'. JavaScript is an extremely complex > language that never was designed with security in mind (at least not > from people that took the word 'security' serious). As a result, JS > has a high 'abstract threat' level. > >>From the 'abstract threat', very often 'concrete threats' are > created.
Yeah. Makes me wonder why you bother to make a distinction. Even stranger that you mention a spectacular conversion of "abstract threat" to "concrete threat". > If you patch you browser frequently, chances are high that > you are faster than the 'JavaScript Terrorists' that want to break > into your machine. So, you propose relying on the idea that the skills of the malicious people are less than the people looking for vulnerabilities? That used to be true, but now...we are seeing professionals making money using vulnerabilities. I think this is a foolish, very foolish, idea to continue to rely upon. As OpenBSD developers know, most skilled programmers are much more interested in adding features to bloated-pigware, not auditing for weaknesses. So...you have the skilled people adding vulner..er..features, and the unskilled people exploiting vulnerabilities. > Why so many banks use it? Because they do not take 'abstract threats' > seriously. They don't take any threats seriously, obviously. http://www.computerworld.com.au/index.php?id=1845592592&fp=16&fpid=0 (linked off http://www.openbsd.org/press.html ) Banks (and most other large businesses) should not be used as any kind of evidence in any security discussion. They Don't Get It. The reason is simple: the consumers are more interested in flash than in security. Sure, everyone says they want security, but when it comes to what they are willing to actually give up for it, the answer is usually "almost nothing". HOWEVER...all things considered, the security of your browser is probably not the weak point for on-line banking. Robbers generally go after the bank, not the customers. Granted, the customers are somewhat softer targets, and it appears deception is more effective than technology flaws at the moment, anyway... *sigh* Nick.
