From: Goran on
On Mar 14, 5:37 am, Hector Santos <sant9...(a)nospam.gmail.com> wrote:
> Its really quite fasinating how the mindset has evolved regarding
> zero-day discoveries:
>
>     - OLD RULE: Turn off javascript
>     - NEW RULE: Read tons of documents
>
> The point, watch how they now handle IE exploits found.  No longer
> will you see anything in their notes that says:
>
>      Turn off ActiveX
>      Turn off Javascript
>
> and at best I can tell, the reason is because turning it off BREAKS
> all kinds of other stuff, including 3rd party or their own.
>
> I was amaze at the China/Google zero-day IE security bug where in NO
> WHERE in the Microsoft security announcements did it says "Turn off
> Javascript" and now the Chinese will not be able to exploit you.
>
> Look, no browser vendors what you to turn off javascript. In fact,
> GOOGLE CHROME was the first browser not to offer the user the option
> to even turn it off.  This is the beginning for others to follow.
>
> Now web sites are taking the approach - NO JAVASCRIPT? GO AWAY!

Haha, good one.

I am actually running NoScript, AdBlock and FlashBlock. NoScript needs
a bit of warm-up (that is, it needed to know what sites I want with
javascript), but these days, my browsing goes the way I want it, not
the way internet wants it.

I must be old. :-)

Goran.
From: Ajay Kalra on
On Mar 14, 7:10 am, "Bo Persson" <b...(a)gmb.dk> wrote:
> Hector Santos wrote:
>
> > Joe, the problem isn't really Javascript, the problem is well, good
> > engineering with the browser and an growing attitude that clients
> > should be doing more work and have access to the user's PC. So
> > original the client was sandboxed and the scripting did not an API
> > to access PC data.  That's changing and there is no stopping this
> > unfortunately.
>
> So 10 years ago we had a fat client for a local server app. That was
> supposed to be replaced by a thin client.
>
> Now we have a browser based fat client, which can be accessed from all
> over the internet.
>

My thoughts as well. Thin client is make sure that we all get fat
appropriately.

--
Ajay


From: Joseph M. Newcomer on
See below...
On Sat, 13 Mar 2010 23:37:23 -0500, Hector Santos <sant9442(a)nospam.gmail.com> wrote:

>Its really quite fasinating how the mindset has evolved regarding
>zero-day discoveries:
>
> - OLD RULE: Turn off javascript
> - NEW RULE: Read tons of documents
>
>The point, watch how they now handle IE exploits found. No longer
>will you see anything in their notes that says:
>
> Turn off ActiveX
> Turn off Javascript
>
>and at best I can tell, the reason is because turning it off BREAKS
>all kinds of other stuff, including 3rd party or their own.
>
>I was amaze at the China/Google zero-day IE security bug where in NO
>WHERE in the Microsoft security announcements did it says "Turn off
>Javascript" and now the Chinese will not be able to exploit you.
>
>Look, no browser vendors what you to turn off javascript. In fact,
>GOOGLE CHROME was the first browser not to offer the user the option
>to even turn it off. This is the beginning for others to follow.
****
This is simply not true, I was turning JavaVirus and ActiveVirus off years ago in IE.

I was taken out by some scripting eploits years ago, and it is NEVER going to happen
again!

To add insult to injury, IE has this incrdibly STUPID idea of categorizing sites as
"Internet", "Trusted", etc., instead of letting me customize the actions to an individual
site and ONLY to that site! So I can't say "I trust site X". Also, if you use IE8
"secure mode" most sites break. There is no provision for my requesting that a particular
Web site (for me, that would be 99.999% of all Web sites) be denied access to my machine
state (files, Registry, etc.) since most JavaVirus code really is only dealing with screen
interaction (or so it would like me to believe) and the JavaVirus interpreter is
essentially design to be unsafe.

So when Microsoft says they "care about security" I believe they are lying. They not only
don't care, they are actively HOSTILE to anyone who wants a secure site!
joe
****
>
>Now web sites are taking the approach - NO JAVASCRIPT? GO AWAY!
>
>It took us nearly 7 years before we began to require Javascript for
>our web server client templates. Our templates were WEB 1.0 mostly
>because early browser didn't support JS and because of security, many
>users turned it off. So WEB 1.0 was necessary.
>
>But as the industry grew, WEB 2.0 was the next stage. We began to add
>more of it to our templates. Not 100% but as options to operators to
>use special HTML clients, i.e. HTTP AUTHentication (BASIC/DIGEST) vs
>Form-based COOKIE login.
>
>A few years ago, we added jQuery support, which MS now directly
>supports as part of ASP. jQuery is distributed with our software and
>we use it popup Message Previews. Our Chuck E Cheese customer who use
>our web server for store support who still have low bandwidth told us
>the popup message previews help speed things up.
>
>But now WEB 3.0 is upon is, and his a recycle of the client/server
>framework where more of the client-ware is off-loaded. Flash,
>SilverLight, Flex, etc, and now HTML5.
>
>Joe, the problem isn't really Javascript, the problem is well, good
>engineering with the browser and an growing attitude that clients
>should be doing more work and have access to the user's PC. So
>original the client was sandboxed and the scripting did not an API to
>access PC data. That's changing and there is no stopping this
>unfortunately.
>
>--
>HLS
>
>Joseph M. Newcomer wrote:
>
>> This is because Microsoft makes a lot of noise about being concerned about "computer
>> security" but essentially believe that if YOU care about it, well, screw you, JavaVIrus
>> is essential for making Web sites *cool*, and nobody should make their machines secure by
>> disabling this primary malware vector (I recently attended a conference on computer
>> security, and what I learned about JavaVirus makes my most rabid rants about it look
>> understated compared to the deadly reality! Sort of like my saying "death can be a
>> seirous invonvenience in your life" or "end-stage rabies is really uncomfortable")
>> joe
>>
>>
>> On Sat, 13 Mar 2010 14:00:05 -0500, Hector Santos <sant9442(a)nospam.gmail.com> wrote:
>>
>>> Giovanni Dicanio wrote:
>>>
>>>> Seems like there is a new MSDN VC++ Forum dedicated to MFC and ATL now:
>>>>
>>>> http://social.msdn.microsoft.com/Forums/en-US/vcmfcatl/threads
>>>>
>>>> Giovanni
>>> It breaks down if javascript is disabled. :)
>> Joseph M. Newcomer [MVP]
>> email: newcomer(a)flounder.com
>> Web: http://www.flounder.com
>> MVP Tips: http://www.flounder.com/mvp_tips.htm
Joseph M. Newcomer [MVP]
email: newcomer(a)flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
From: Hector Santos on
Joseph M. Newcomer wrote:

>> Look, no browser vendors what you to turn off javascript. In fact,
>> GOOGLE CHROME was the first browser not to offer the user the option
>> to even turn it off. This is the beginning for others to follow.
> ****
> This is simply not true, I was turning JavaVirus and ActiveVirus off years ago in IE.


Whats not true? There is no way to turn it off in Chrome, the first
browser to do this. And in my strong opinion, others will follow or it
will be made very difficult to turn off. I never said you could not
turn it off in all other browsers. Chrome is the first that I am
aware of where you can not.

--
HLS
From: Joseph M. Newcomer on
I misunderstood the parity of the statement.

I'm having a lot of trouble reading, this week, the consequence of a cerebral incident
last Saturday.
joe

On Mon, 15 Mar 2010 19:56:04 -0400, Hector Santos <sant9442(a)nospam.gmail.com> wrote:

>Joseph M. Newcomer wrote:
>
>>> Look, no browser vendors what you to turn off javascript. In fact,
>>> GOOGLE CHROME was the first browser not to offer the user the option
>>> to even turn it off. This is the beginning for others to follow.
>> ****
>> This is simply not true, I was turning JavaVirus and ActiveVirus off years ago in IE.
>
>
>Whats not true? There is no way to turn it off in Chrome, the first
>browser to do this. And in my strong opinion, others will follow or it
>will be made very difficult to turn off. I never said you could not
>turn it off in all other browsers. Chrome is the first that I am
>aware of where you can not.
Joseph M. Newcomer [MVP]
email: newcomer(a)flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm