[Gllug] Open Source Hardware User Group meeting on Thursday.

general_email at technicalbloke.com general_email at technicalbloke.com
Wed Apr 28 02:14:29 UTC 2010

Andrew Back wrote:
> On (01:20 28/04/10), general_email at technicalbloke.com wrote:
>> Dan Kolb wrote:
>>> On Tue, Apr 27, 2010 at 02:12:58PM +0100, general_email at technicalbloke.com wrote:
>>>> Actually there isn't if you are browsing with Javascript disabled - does
>>>> anyone browse with it enabled by default these days!?
>>> About 99.9% of people on the internet?
>>> Dan
>> But I'll wager considerably less on this list no? I'm surprised if not,
>> seeing as pretty much every security exploit out there leverages either
>> Javascript, Japa applets or Flash. I'd assume those here are fairly well
>> informed people who's skin would crawl at the thought of
>> indiscriminately running any old 3rd party code your browser stumbles
>> across.
> "Stumbles"? What, like more or less any "rich web application"? That's an
> awful lot of sites you're excluding there. You never use Google Maps, for
> example?

I make an exception for them. Even now - believe it or not - most
websites work OK without javascript. When I come across one that doesn't
I weigh up how much I want that info/functionality vs the level of risk
I perceive vs the effort to google for an equivalent that doesn't
mandate scripting and permit/deny/google accordingly, it only takes
about a second.

And I think stumble sums it up pretty well when some sites load
completely unvetted scripts from as many as 7 or 8 other parties. I
think it's perfectly sensible to take a cautious approach to what code
you allow your machine to run especially when massive security bugs are
found in EVERY browser, script interpreter & VMs on a pretty regular
basis. Its not like these threats are even theoretical, pretty much
every security vulnerability in IE/FF/Flash/JS/Java is weaponized and
deployed as soon as it is discovered if not discovered because it is
already in use.

> I long for the days when you could repair computers to component level (~
> 80286). But they're more or less gone, and I've come to accept that this is
> a compromise that I must make if I don't want to find myself limited to the
> world of nostalgic computing. The same holds true for the Web.

If everyone put their hand in the fire...

> Ideals aside, shouting "No Javascript/Flash!" is a bit like advocating
> Betamax when the world has moved on to using VHS (apologies for using yet
> another terrible analogy).

Well I'm not an idealist, I'm not shouting and yes that's a truly
terrible analogy ;) Betamax (and it's successors Beta SP and Digi-Beta)
was a far superior technology that went on to become the industry
standard tape format for 30 years and is still very much in use today,
unlike VHS.

Anyway I don't avoid scripting out of sheer ludditeism or some kind of
misplaced nostalgia, I avoid it by default because it is dangerous to
allow it by default. The net is a hostile place full of miscreants with
powerful robots who will gladly do me harm in order to gain money and/or
power and it's getting worse every day, that's just how it is.

Believe me I'd love to feel safe enough to go out and leave my front
door unlocked all day but that's just not the world we live in any more,
if I had no possesions maybe I would feel differently but I do and I owe
it to my clients to take all reasonable steps to ensure the safety of
their stuff too.



Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list