Re: [Bulk] Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On Tue, 7 Oct 2014 05:11:30 +0300 Matti Karnaattu wrote: Like removing that stupid web browser idiom that where is addressbar and back/forward buttons. The address bar is one of the only things you can trust when browsing a web page to the point that some mal-sites or mal-ads actually try to go full-screen and use a mock address bar within the page where incidentally the attack could be made much more effective/dangerous with javascript akin to the more widely known html for emails allowing fonts that make urls fool people. Get rid of the address bar! and allow javascript everywhere, you must work for Google ;-)
Re: [Bulk] Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 15-10-2014 17:56, Kevin Chadwick wrote: The address bar is one of the only things you can trust when browsing a web page Provided your dns isn't spoofed. And you're are not being targeted with a mitm attack. And perhaps a few other things. But yeah, the address bar can normally be trusted. Get rid of the address bar! and allow javascript everywhere, you must work for Google;-) It's funny you said that, because the POODLE vulnerability released yesterday (ironically from Google), besides needing a mitm attack, uses javascript on the user's browser for it's attack vector. People need more proof that javascript is harmful? Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
Except it doesn't, server side code is more universal. I strongly disagree. In server side there is vast amount of different software stacks build top of C library and they are incompatible. Running PHP code top of Java stack just doesn't work. In client side, there has ongoing for several years a huge shift where ~all client code runs top of HTML/JS. And this is very remarkable because client side code doesn't any longer care what is below that HTML/JS environment. The umbilical cord for C language stack or OS is cut off, and practically all major players in IT-industry are committed for that. Imagine that if late ninetees, whole IT industry has decided to cut off all legacy and start to compile only Java byte code to Java API. All applications work every computer without recompiling, and Java runtime removes hardware and OS dependency, isolating all applications to sandboxes that restrict memory, disk space, filesystem access etc. That would have been great, but Sun Microsystem withdraw from standardization process, Microsoft implementation was totally incompatible, and while Java was proprietary it was not accepted by open source communities any more than Sun Microsystem competitors. But now, it is a totally new game. Javascript is standard, there is open source implementations and they are compatible. World is changed that HTML/JS is global standard for application frontends. And then there is local 'standards', ecosystems, if there is need to make exclusive application for Apple or something. These competing local standards keep development running. Any idea how many noscript users there are amongst other filters and browsers like xombrero. Maybe one in thousand. These were more popular back then when computers were slow and browsers immature, something like 7 years ago. Past two years, almost no one used these because applications doesn't work without JS. Simple HTML5 features and CSS3 are welcome by me but even JIT for performance annoys me. I'd rather they fixed the bugs and memory leaks and let me use websites in style and confidence. You can't create applications without JS. Example, think about how mapping software are done with realtime pathfinding. If you had looked into browser vulnerabilities you would see that the *vast* majority even ones which do not mention that javascript is the issue can be avoided by disabling javascript or the issue is javascript related. Disabling Javascript is like disabling ability to run modern application software. It is same if I just turn off computer. It is then secured. If I want to run an even more complex app then I would much prefer to to do just that and run the web based dedicated application separately which any decent application needs anyway (application or plugin) and making it pointless bloat. So it is better to download unknown application binary from when you like to see map? And think about effort to make that application to Android API, Cocoa, GTK+ 2, Qt and WinRT. Or, just make application to HTML/JS and that run everywhere in sandbox without hassle. Portability matters.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On Mon, 6 Oct 2014, Matti Karnaattu wrote: Disabling Javascript is like disabling ability to run modern application software. It is same if I just turn off computer. It is then secured. Sorry, that is totally bogus! The **FIRST** thing one should do when sitting down at a new browser is install NoScript [which is the most important reason TO use Firefox] and CookieMonster, so you can SEE what JS code is running and have the option to block individual sites. I interpreted the comment to which you are referring as 'controlling' what JS is running, so YOU have the choice as to whether to allow tracking code (e.g. googleanalytics) or block. As you state, it is *not* possible to use anything more than a basic website without JS, however it *is* realistic and reasonable to *limit* the cross-site JS code that is only there for the use of other third parties. Lee
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 14:20, Matti Karnaattu wrote: I strongly disagree. In server side there is vast amount of different software stacks build top of C library and they are incompatible. Running PHP code top of Java stack just doesn't work. But none of them *require* javascript to function. In client side, there has ongoing for several years a huge shift where ~all client code runs top of HTML/JS. And this is very remarkable because client side code doesn't any longer care what is below that HTML/JS environment. The umbilical cord for C language stack or OS is cut off, and practically all major players in IT-industry are committed for that. Of course it's nice to have a standard on the browsers and they, almost, always speak the same language. But there will always be an umbilical cord with C. Even the almighty browser need an OS to run on top of it. I don't see that changing in the near future. Imagine that if late ninetees, whole IT industry has decided to cut off all legacy and start to compile only Java byte code to Java API. All applications work every computer without recompiling, and Java runtime removes hardware and OS dependency, isolating all applications to sandboxes that restrict memory, disk space, filesystem access etc. That would have been great, but Sun Microsystem withdraw from standardization process, Microsoft implementation was totally incompatible, and while Java was proprietary it was not accepted by open source communities any more than Sun Microsystem competitors. It would never happen. Java isn't all that great and even if Sun painted it gold, it would never take off. There is a reason why the web is dominated by scripting languages these days. And the reason isn't why sun didn't pushed for standardization, or anythin like that. Is because java sucks. But now, it is a totally new game. Javascript is standard, there is open source implementations and they are compatible. World is changed that HTML/JS is global standard for application frontends. And then there is local 'standards', ecosystems, if there is need to make exclusive application for Apple or something. These competing local standards keep development running. On the web, everybody should speak the same language. And that's a good thing. What is not a good thing is to have just one standard. That's never good. Maybe one in thousand. These were more popular back then when computers were slow and browsers immature, something like 7 years ago. Past two years, almost no one used these because applications doesn't work without JS. Well, if you take just the downloads of the tor browser alone, there are a lot of people using noscript. You're speaking bullshit. Things are turning in the oposite direction. Sites that enhance the privacy of their users, will get competitive advantage. You can't create applications without JS. Example, think about how mapping software are done with realtime pathfinding. Cosmetic things that aren't needed unless you're using a mobile browser, even then, you would probably be using an app. Disabling Javascript is like disabling ability to run modern application software. It is same if I just turn off computer. It is then secured. A great deal in which javascript is used is to make cosmetic things pop in your browser that you really doesn't need for getting what you need: information. There are good uses of it of course, but it's not needed for making a great application. So it is better to download unknown application binary from when you like to see map? And think about effort to make that application to Android API, Cocoa, GTK+ 2, Qt and WinRT. Yes. It is better. It's made for that. The problem with javascript, that we are pointing and you're not listening, is that you don't control what is run. If I download a binary application, even if it's not ideal, I can inspect what it's doing with debuggers, network capture, etc. It's not the best thing, but you can, if you want to. With JS when I go to a site, they starting pulling third parties scripts, that pull others, and others. And it's a nightmare to see what's happening. Or, just make application to HTML/JS and that run everywhere in sandbox without hassle. Portability matters. That's the job of the browser, and things are headed that way. But until we get there, I'll keep using noscript. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
however it *is* realistic and reasonable to *limit* the cross-site JS code that is only there for the use of other third parties. I agree. I filter too crap away. Javascript itself is not problem.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
But none of them require javascript to function. Node.js What is not a good thing is to have just one standard. That's never good. And this is current status. Apple, Canonical, Google and Microsoft pushing their own competing front end ecosystems. And there is still HTML/JS which is portable. I see current situation very ideal. A great deal in which javascript is used is to make cosmetic things pop in your browser that you really doesn't need for getting what you need: information. Not all applications are for that. Let's say, numerical analysis software, video conferencing, electrical planning software.. or how about IDE with realtime code analysis? It is very useful to see bugs while I write code without need to compile. It is even useful in Word Processing to have real time spell checking. These are not just cosmetic things. The problem with javascript, that we are pointing and you're not listening, is that you don't control what is run. Of course I control. It very possible to white list / black list domains. It possible to limit all scripts to be launched from same trusted domain where I launch application. It is possible to install whole application to own server if I want. It is possible to put whole application instance to sandbox and require permission to camera, or limit memory usage. All data client sends is possible to control and monitor. In security point of view, who manages server can't control what happens in client side. Client is always untrusted and input need to check. Client however can't control what happens in server. Client have to trust server where data is send. Everything else can be controlled. even then, you would probably be using an app. And JS is for making app.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 17:48, Matti Karnaattu wrote: Node.js I've used it, and there is too much hype about it. It has it's uses, but can be replaced with other non javascript technologies, at least from the server side. And this is current status. Apple, Canonical, Google and Microsoft pushing their own competing front end ecosystems. And there is still HTML/JS which is portable. I see current situation very ideal. If any of these end up being better than JS, I don't see any reason not to use them. Not all applications are for that. Let's say, numerical analysis software, video conferencing, electrical planning software.. or how about IDE with realtime code analysis? I said a great deal is for it. Of course not all of them. But, the examples you gave aren't the best ones. I prefer to use a desktop application for those instead of running them from my browser. Just saying. It is very useful to see bugs while I write code without need to compile. It is even useful in Word Processing to have real time spell checking. These are not just cosmetic things. That's why you have scripting languages. Javascript is just another one that happens to be the *only* one in the client side. Of course I control. It very possible to white list / black list domains. It possible to limit all scripts to be launched from same trusted domain where I launch application. It is possible to install whole application to own server if I want. It is possible to put whole application instance to sandbox and require permission to camera, or limit memory usage. All data client sends is possible to control and monitor. Well, this thread started because the OP not only controls what JS he opens in his browser, but he do not allow any. We already established that you can control, and allow or not it. The main issues are, the huge potential for misuse and the plethora of JS that tag along when you open a site and it start pulling scripts from thirdy parties, most of the time, not even encrypted. In security point of view, who manages server can't control what happens in client side. Not always true. Client is always untrusted and input need to check. This goes without saying. I go even further, you *always* should check your inputs, even software that run only on the server side. Client however can't control what happens in server. Also, not always true. Client have to trust server where data is send. The main point of this discussion. The internet is the most hostile environment possible. The browser, which acts in your behalf, shouldn't *have* to trust whichever the server sends and run it unrestricted. This design is flawed. Everything else can be controlled. Biggest bullshit you wrote in this entire thread. And JS is for making app. But it's not the *only* option. This is one of the greatest points of mobile apps. You can choose how to do things. Even on the apple world, which is way more restricted than the android one. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
Great conversation... Somehow you guys spend all your time whining about complicated deep technologies like Java / Javascript -- condemning them for their nasty complexity -- but at the same time using the conversation to hurt people trying to build something simpler. Who do you work for? Governments?
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
If any of these end up being better than JS, I don't see any reason not to use them. I think everyone of these are better if you don't care about portability. I prefer to use a desktop application for those instead of running them from my browser. Just saying. There isn't much new desktop applications done lately, except for web.. I have my data in my servers, but I would like if I can manipulate everything directly with web interface in my network. That would be clean architecture. you always should check your inputs, even software that run only on the server side. Sure. I even employ DbC in my functions too..
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
but at the same time using the conversation to hurt people trying to build something simpler. It is not meant to hurt anyone. Optimal complexity is when there is nothing you like to add and nothing you like to remove. It is just that sometimes happens event called disruptive innovation. When it happens, it is good to sit down and think, why that happened and why I was so stupid to not to realize that myself, because there are some good reasons always what make that event possible. It is also stupid to ignore that event ever happened. I didn't understand myself right away that iPhone was such a event (and I'm not Apple fanboy at all). This conversation brings me a lot of ideas what should be done when building something simple.. Like removing that stupid web browser idiom that where is addressbar and back/forward buttons. How about changeing web browser to app launcher. Someting like launch https://application.com; and that app launcher is designer to be app container. Application is started for local or remote computer, enforces security restricting access to local resources and remote servers and even know window coordinates so every application is launched on correct position on screen. And Javascript console.log can put stuff to stdout, errors to stderr... That can be also then use to make more complex user interfaces, integrating several applications to one view. Hell yeah, more I think, I just don't even want to use anything else than those, terminal windows and X for legacy apps. It can also change world better if defaults are secure and that app launcher is adopted.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
but at the same time using the conversation to hurt people trying to build something simpler. It is not meant to hurt anyone. I didn't mean to kill that guy when I was doing 250km It is just that sometimes happens event called disruptive innovation. You tried to break chmod. Please innovate elsewhere. When it happens, it is good to sit down and think, why that happened and why I was so stupid to not to realize that myself, because there are some good reasons always what make that event possible. It is also stupid to ignore that event ever happened. Yes, it is good to sit down and think. This conversation brings me a lot of ideas what should be done when building something simple.. Like removing that stupid web browser idiom that where is addressbar and back/forward buttons. You are on the wrong list. How about changeing web browser to app launcher. You must be really full of yourself, because you are on the wrong mailing list. Someting like launch https://application.com; and that app launcher is designer to be app container. Application is started for local or remote computer, enforces security restricting access to local resources and remote servers and even know window coordinates so every application is launched on correct position on screen. And Javascript console.log can put stuff to stdout, errors to stderr... You are on the wrong list. That can be also then use to make more complex user interfaces, integrating several applications to one view. Hell yeah, more I think, I just don't even want to use anything else than those, terminal windows and X for legacy apps. You are on the wrong list.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
You are on the wrong list. Ok. I will unscribe myself for.. eternity. Because I obviously have hurt feelings. Especially yours, Theo. I did not intentionally do that. And I have _never_ bashed you. And I actually never got what makes you so upset. I'm enthusiast to tech without religion. Agnostic doesnt care that much about. something, what is apparently extremely important to you. Kindest thing you have ever said to me is that I'm government plant. Well, I'm not and I don't work Google either. But I think that is kind because I believe that it should be hard to make you to believe that. It is better to me to disappear because it probably more beneficial to me put my free time effort when I'm between jobs to somewhere else than finding bugs from OpenBSD. Theo, bruteforce stress testing for OpenBSD went better than I expected. Surprisingly little amount of fails. Sometimes when I debate, it gets out of hands. I should have quit this thread when I said that. My apologies. For everyone.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
People wrote: There are two things which irritates me in computing: 1. Need of security updates 2. Two pieces of technology which are not compatible with each other. I'm GLAD that finally we have Javascript. At last, we have language and platform that WORKS universally. Except it doesn't, server side code is more universal. Any idea how many noscript users there are amongst other filters and browsers like xombrero. It is simply wonderful. Best thing after invetion of WWW. Wonderful yet the need for security updates irritates you??? If you had looked into browser vulnerabilities you would see that the *vast* majority even ones which do not mention that javascript is the issue can be avoided by disabling javascript or the issue is javascript related. (hey, even PayPal works without JS !) Shortly before the recent security breaches I thankfully left paypal partly because they started requiring javascript but mainly because they were showing a technical lack of security understanding. Are you saying that they have reverted requiring javascript? The thing is that web is more than web sites. It is also full of applications and these are totally mixed. Simple HTML5 features and CSS3 are welcome by me but even JIT for performance annoys me. I'd rather they fixed the bugs and memory leaks and let me use websites in style and confidence. If I want to run an even more complex app then I would much prefer to to do just that and run the web based dedicated application separately which any decent application needs anyway (application or plugin) and making it pointless bloat.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014 13:26:11 -0400 (EDT) david...@ling.ohio-state.edu wrote: Keeping Javascript disabled is like disabling programmability from shell. What is the idea? You're making a joke, maybe? *I* choose what programs my shell executes. But when I visit a webpage on the internet with javascript enabled, someone *else* chooses what programs are executed. So I don't enable javascript unless there's a good reason. And, for my purposes, there almost never is a good reason. True and you wouldn't allow visitors to inject shell into your webserver and navigation of a site should not require javascript as per w3c guidelines. However considering OpenBSD users are security savvy and should understand the potential risks of random sites running javascript and it may be that the cheapest or current pay system available required javascript then it is probably more useful to ask paypal why on earth they reduced the potential security of their users for a slightly nicer look or investigate and suggest an alternative. OTOH I am told but correct me if I am wrong that in Germany they use bank transfers rather than credit cards and the banks I use no longer require javascript so perhaps that would be a better and more secure system all round, assuming they have a good method to verify the account numbers.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
and navigation of a site should not require javascript as per w3c guidelines. The thing is that web is more than web sites. It is also full of applications and these are totally mixed. However considering OpenBSD users are security savvy and should understand the potential risks of random sites running javascript I'm sure that probably everyone here understand these risks, but in order to be security savvy doesn't rule out that you can also be pragmatic. I don't think that is pragmatic to expect people to use computers without applications. Or expect users of some software doesn't want to use applications.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 4 Oct 2014 at 1:41, Matti Karnaattu wrote: ... I don't think that is pragmatic to expect people to use computers without applications. Or expect users of some software doesn't want to use applications. why not be the ultimate pragmatist you preach and go run Windows? (Isn't that what everybody runs and the only platform all software developers support? and the best part -- you won't be spamming OpenBSD mailing lists anymore ;-)