[GTALUG] security threats of Open Source

David Thornton northdot9 at gmail.com
Fri Nov 20 15:21:23 EST 2020 

I can second the "noscript" thing. "Default deny" is good practice. No- one
has to explain it for firewalls ( any more I hope), so why do we have to
explain it in other places?


On Thu, Jan 23, 2020 at 7:00 PM Don Tai via talk <talk at gtalug.org> wrote:

> I regularly browse with javascript turned off. I use NoScript. While it is
> a hassle, I whitelist trusted sites, but refuse script from 3d party sites.
> There is a bit of setup to do to whitelist sites. Scripts have long been
> abused. Browsing without js restores a bit of honesty in web pages, as a
> lot of the razzle dazzle crap code is not executed. I seek information more
> than eye candy. Cross-site scripting risk is near eliminated, making web
> browsing safer. You can also see which sites have added a whole lot of crap
> onto their script code and which 3d party sites they employ. This will
> colour your selection of credible web sites.
>
> As well I intermix browsers as well as use Tor.
>
> I encourage you to try it. Tilt the advantage to the user with the
> NoScript plugin.
>
> On Thu, 23 Jan 2020 at 18:30, o1bigtenor via talk <talk at gtalug.org> wrote:
>
>> On Thu, Jan 23, 2020 at 3:37 PM D. Hugh Redelmeier via talk
>> <talk at gtalug.org> wrote:
>> >
>> > | From: o1bigtenor via talk <talk at gtalug.org>
>> >
>> > | In this vein - - - - a contact who in computer terms calls himself a
>> dinosaur
>> > | refuses to allow javascript on his computers doing all his browsing
>> on text
>> > | based browsers. In his opinion javascript is a serious accident
>> already in free
>> > | fall. What you're sharing only emphasizes that. Maybe its time to
>> join his
>> > | anti Javascript position?
>> >
>>
>> Thank you for your response!!
>>
>> > The issues are a little more intricate.
>>
>> They usually are - - - grin.
>> >
>> > Note npm is a repo (mostly?) for JavaScript to run under node.hs.
>> > node.js is a server-side thing.  It runs JavaScript on the server.  Not
>> in
>> > the client (browser).
>> >
>> > JavaScript itself isn't terrible.
>> >
>> > What is unfortunate, I think, is the unfettered creativity JavaScript
>> > in the browser allows web designers.  They misuse it, just like they
>> > did Adobe Flash previously.  To some extent this is caused by the good
>> > sides of JavaScript: how easy it is to learn, how easy it is to wip up
>> > complexity, how easy it is for the page creator to take control of the
>> > browser experience.
>>
>> From what little I know what I"m thinking is that the browser user needs
>> to have some tools to control what the browser does - - - - that seems
>> to be unobtanium at this point.
>> >
>> > What I was talking about was how easy it is to inject malicious code
>> into
>> > the ecosystem.  That isn't actually the fault of the language.  (It is
>> > imaginable that one could design a language that prevented some abuse.)
>> >
>> > In fact, the language+browser have been designed to limit the damage
>> > that could be inflicted on the client side.  The npn problem is mostly
>> > server-side, I think (I'm not sure).
>> >
>> > Making something easier (cheaper, faster, more understandable, ...)
>> > allows it to be used more, often to excess.  Unexpected side effects
>> > can ensue.
>> >
>> > - increasing efficiency of cars makes driving cheaper so people
>> >   drive more and end up using more total energy (gasoline).
>>
>> Our obsession with individual transportation has become a major cost
>> factor in one's personal economy.
>> >
>> > - computers became a lot cheaper.  So a lot more money is spent on
>> >   computers.
>> >
>> > - programming has become easier.  So a lot more pointless programs have
>> >   been created.
>> >
>> > - when I worked on optimizing compilers, I thought that I was trying
>> >   to make existing programs run faster.  Then it struck me that it
>> >   allowed programmers to write programs in a simpler and clearer way
>> >   and have the compiler eliminate the performance cost.
>>
>> Interesting.
>> >
>> > Here's a random example of npm use:
>> >
>> > <https://www.electronjs.org/>
>> > ---
>> Thanks for the sharing!
>>
>> I'm wondering if there even is a way of reining in the wild possibilities
>> in
>> javascript in a browser. If there is it would be quite nice if this
>> would happen
>> quite soon. I'm finding that the web has become quite a frustrating and a
>> very
>> very far from useful place to look for things.
>>
>> Regards
>> ---
>> Post to this mailing list talk at gtalug.org
>> Unsubscribe from this mailing list
>> https://gtalug.org/mailman/listinfo/talk
>>
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list
> https://gtalug.org/mailman/listinfo/talk
>


-- 
David Thornton
https://wiki.quadratic.net
https://github.com/drthornt/
https://twitter.com/northdot9/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20201120/4b326d2e/attachment.html>

More information about the talk mailing list