[Gllug] Open Source Hardware User Group meeting on Thursday.

general_email at technicalbloke.com general_email at technicalbloke.com
Wed Apr 28 00:50:34 UTC 2010

Andrew Back wrote:
> On (14:24 27/04/10), Alain Williams wrote:
>> On Tue, Apr 27, 2010 at 02:15:44PM +0100, Dan Kolb wrote:
>>> On Tue, Apr 27, 2010 at 02:12:58PM +0100, general_email at technicalbloke.com wrote:
>>>> Actually there isn't if you are browsing with Javascript disabled - does
>>>> anyone browse with it enabled by default these days!?
>>> About 99.9% of people on the internet?
>> Not quite, but getting close. Many years on most people don't care about
>> security -- they see it as someone else's problem.
> I'm not sure how valid the concern is over Javascript security these days,
> provided you take reasonable care. You can turn it off, sure, but you will
> close yourself off to increasingly large areas of the Web.

And how is one supposed to take reasonable care eh? If you surf with
scripting enabled it's running before you even get to see the page and,
if it's up to no good, the chances are you won't see any difference anyway.

A lot of these browser exploits are OS independent and are as likely to
be hosted on hacked "good" websites as clearly shady ones. Your browsing
history or saved password file could be winging it's way to a .ru
address without you noticing a thing out of the ordinary, unless you
obsessively packet sniff everything you do in which case you have even
bigger issues ;)

I'd argue the simple way of dealing with the huge amount of malicious
script out there it is to is disallow scripting by default and enable it
as and when it is needed. You may argue one doesn't need to worry if one
is careful but everyone makes mistakes, that's why rm -rf gives you a
warning first unless you are root, would you advocate running as root
all the time?

I'll give you an example, a couple of times I've googled something and
then clicked the top "sponsored" links by mistake. Quite a lot of these
sponsored links say "official" and such like even if they aren't so it's
an easy mistake to make if you're tired or in a hurry. It turns out a
fair proportion of these links are malicious. However if I have
scripting disabled chance are it's no big whoop.

> I guess at the end of the day it's down to what you are happy with. But IMHO
> complaining about Javascript in 2010 is a bit like complaining about sites
> with images circa 2000.

Except that images circa 2000 couldn't root your box (well actually they
could if you were on Windows but luckily nobody discovered the GDI+ vuln
til about 2005, to the best of our knowledge). I may sound a bit
paranoid but it's only paranoia if they're not out to get you and,
having masses of other peoples data on my computer all the time I have
to assume they are.

One of the fastest growing botnets out there targets web designers and
lazy sys-admins specifically as they tend to have lots of server logons
stored on their machines, I personally don't feel comfortable surfing
with scripting enabled on a machine full of other peoples web server
credentials and backed up personal files.

If you are surfing on a box with nothing important on it and no
privileges on other networked sensitive machines and you never have to
type in anything that could be considered high security then by all
means, leave scripting on and surf with gay abandon - horses for courses
init. I'd have though many if not most people here would have some info
they'd prefer not to leak though.

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list