On 07/02/2011 01:07 PM, Craig White wrote: > On Fri, 2011-07-01 at 21:14 -0700, JD wrote: > >> You are right. >> It turns out it does it via the intruder which the whole >> world was deceived by Sun that it only plays in a sandbox >> and has no access to anything outside that sandbox: Javascript. > ---- > what does javascript have to do with Sun? It is not java. It doesn't > share anything at all with java except the name which was an unfortunate > choice. > ---- >> So I used noscript to disable scripts from 192.168.1.254 >> and access to my drive went away. >> >> When will the linux community wake up and shout out loud: >> Kill JavaScript from all browsers and all network servers >> and network clients. > ---- > turn off javascript and the Internet is almost unusable. I think you > were close when you realized that your 'router' is likely an attack > vector because many of the retail/home intended routers are known to > have been compromised. > ---- >> It is THE trojan horse hiding in plain site and can access >> EVERYTHING on your system that YOU have access to and >> send it back to whatever destination the javascript was >> written to send it to. >> >> Common people! JAVASCRIPT being executed by your >> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! > ---- > http://en.wikipedia.org/wiki/Javascript > > Sandbox implementation errors > > Web browsers are capable of running JavaScript outside > of the sandbox, with the privileges necessary to, for > example, create or delete files. Of course, such privileges > aren't meant to be granted to code from the web. > > What you have demonstrated is one of the many reasons not to run GUI as > root but you only saw the files/folders that you could see with a tool > like nautilus or dolphin with exactly the same privileges so I guess I > can't understand your hysterics. > > If noscript gives you peace of mind, then use it. > > Craig > > Why do you resort to name calling? It is not hysterics. A javascript sent by we site can, if written to do so, open your files and upload them to some remote site; and you call this hysterics? Something is wrong with your thinking to resort to name calling. I think user's awareness, that javascripts are indeed invasive and a great threat to privacy, needs to be raised. Most users are unaware of this threat. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
