From: Luuk on
David Mark schreef:
> On Nov 8, 5:22 am, VK <schools_r...(a)yahoo.com> wrote:

>> P.P.S. Back in 2007 some "regulars" suggested that red and other pills
>> shows my preoccupation with drugs... For the possible sorry beings who
>> did not seen the "Matrix" movie yet: "red pill" refers to the pill Neo
>> had to take to leave the virtual world for the real one.
>
> We are through the looking glass now.

I surely do have to see that movie again.....

--
Luuk
From: David Mark on
On Nov 8, 2:29 pm, VK <schools_r...(a)yahoo.com> wrote:
> > > Given a situation with a malicious script that shadows (maskonizes)
>
> > Will you please stop making up words?
>
> See my answer to Stevo.

Saw it. Did you click that Wiki link? Then try Google. Then realize
it is better to use terms that exist for your audience. The audience
is not privy to your imagination.

Oh wait, there is a maskon:-

http://www.maskon.com/

>
> > > window.XMLHttpRequest with its own object that fully emulates the
> > > native one plus sends copies of each data input to a 3rd party server..
>
> > I'd love to see you try.  ;)
>
> Nothing to try here, it is a trivia. The question is to detect and to
> repair (where possible).

And you've got neither the question nor the answer straight. Can we
leave it at that? You could have left it at that ten years ago
without detracting one bit from this group. All you do is confuse
newcomers, who are usually confused enough to begin with.

>
> > > Until the malicious library is fully removed from any wide use, out
> > > emergency security patch has to ensure that each new XMLHttpRequest is
> > > based on the default vendor's constructor and not on some 3rd party
> > > runtime maskon.
>
> > What's a default vendor?
>
> "default vendor's constructor"

It's just confusing. Though this is bit more clear than the rest of
it.

>
> > > On detecting a maskonized environment the security
> > > patch first tries to get the access to the real constructor; if it's
> > > not possible on the given platform then warn the user and break the
> > > code execution."
>
> > Pure fantasy.
>
> Pure fantasy is what? This way of "hijacking" or a possibility to have
> a code dealing with it? Please be more specific with your comments.

The possibility that your posts are not a complete waste of time.

>
> > > It seems to me it might be a very useful learning curb about Global,
> > > window, their differences and their per platform peculiarities.
>
> > Not time to curb your learning yet.
>
> That's a pity.

After ten years. Yes.
From: VK on
David Mark wrote:
> Then realize
> it is better to use terms that exist for your audience.  The audience
> is not privy to your imagination.

The definition of what is "maskon" was given in the original post.
Again, you can use any term you like or just "the topic of the
conversation".

> All you do is confuse
> newcomers, who are usually confused enough to begin with.

Since when knowing the real system behavior became a synonym of
"confusion"? From the other side we already had the Flat Earth Society
( http://en.wikipedia.org/wiki/Flat_Earth_Society ), maybe it's time
for the Global Equals Window Society ? :)


> > > > Until the malicious library is fully removed from any wide use, out
> > > > emergency security patch has to ensure that each new XMLHttpRequest is
> > > > based on the default vendor's constructor and not on some 3rd party
> > > > runtime maskon.
>
> > > What's a default vendor?
>
> > "default vendor's constructor"
>
> It's just confusing.  Though this is bit more clear than the rest of
> it.
>
>
>
> > > > On detecting a maskonized environment the security
> > > > patch first tries to get the access to the real constructor; if it's
> > > > not possible on the given platform then warn the user and break the
> > > > code execution."
>
> > > Pure fantasy.
>
> > Pure fantasy is what? This way of "hijacking" or a possibility to have
> > a code dealing with it? Please be more specific with your comments.
>
> The possibility that your posts are not a complete waste of time.

Then you don't mind I guess if I use for vulnerability samples My
Library? I used
http://www.cinsoft.net/mylib-builder.asp
to get Ajax + Requester only and it fits well for demonstration
purposes as totally maskon unprotected.
Only if you don't mind of course.


From: David Mark on
On Nov 8, 3:09 pm, VK <schools_r...(a)yahoo.com> wrote:
> David Mark wrote:
> > Then realize
> > it is better to use terms that exist for your audience.  The audience
> > is not privy to your imagination.
>
> The definition of what is "maskon" was given in the original post.
> Again, you can use any term you like or just "the topic of the
> conversation".
>
> > All you do is confuse
> > newcomers, who are usually confused enough to begin with.
>
> Since when knowing the real system behavior became a synonym of
> "confusion"?

Which "real system" is that? The one you've built up in your head
(and regurgitated all over this NG) over the years, despite the public
outcry?

> From the other side we already had the Flat Earth Society
> (http://en.wikipedia.org/wiki/Flat_Earth_Society), maybe it's time
> for the Global Equals Window Society ? :)

Who said anything about "Global Equals Window?"

>
>
>
> > > > > Until the malicious library is fully removed from any wide use, out
> > > > > emergency security patch has to ensure that each new XMLHttpRequest is
> > > > > based on the default vendor's constructor and not on some 3rd party
> > > > > runtime maskon.
>
> > > > What's a default vendor?
>
> > > "default vendor's constructor"
>
> > It's just confusing.  Though this is bit more clear than the rest of
> > it.
>
> > > > > On detecting a maskonized environment the security
> > > > > patch first tries to get the access to the real constructor; if it's
> > > > > not possible on the given platform then warn the user and break the
> > > > > code execution."
>
> > > > Pure fantasy.
>
> > > Pure fantasy is what? This way of "hijacking" or a possibility to have
> > > a code dealing with it? Please be more specific with your comments.
>
> > The possibility that your posts are not a complete waste of time.
>
> Then you don't mind I guess if I use for vulnerability samples My
> Library? I used
>  http://www.cinsoft.net/mylib-builder.asp
> to get Ajax + Requester only and it fits well for demonstration
> purposes as totally maskon unprotected.
> Only if you don't mind of course.

Why should I mind? I'd prefer if you conducted your demonstration in
another NG, but I'm sure you'll carry on here.
From: VK on
David Mark wrote:
> Who said anything about "Global Equals Window?"

the Books Of ECMA, Chapter 10, "Global Object":
"in the HTML document object model the window property of the global
object is the global object itself".

Though as a not true believer I might be not bellyfeeling the text so
cannot perceive it properly, this is why it sounds to me as a DUI
(documenting under influence :)

> > Then you don't mind I guess if I use for vulnerability samples My
> > Library? I used
> >  http://www.cinsoft.net/mylib-builder.asp
> > to get Ajax + Requester only and it fits well for demonstration
> > purposes as totally maskon unprotected.
> > Only if you don't mind of course.

> Why should I mind?

Thank you