On 07/03/2011 01:45 AM, JD wrote: > On 07/02/2011 01:07 PM, Craig White wrote: >> On Fri, 2011-07-01 at 21:14 -0700, JD wrote: >> >>> You are right. >>> It turns out it does it via the intruder which the whole >>> world was deceived by Sun that it only plays in a sandbox >>> and has no access to anything outside that sandbox: Javascript. >> ---- >> what does javascript have to do with Sun? It is not java. It doesn't >> share anything at all with java except the name which was an unfortunate >> choice. >> ---- >>> So I used noscript to disable scripts from 192.168.1.254 >>> and access to my drive went away. >>> >>> When will the linux community wake up and shout out loud: >>> Kill JavaScript from all browsers and all network servers >>> and network clients. >> ---- >> turn off javascript and the Internet is almost unusable. I think you >> were close when you realized that your 'router' is likely an attack >> vector because many of the retail/home intended routers are known to >> have been compromised. >> ---- >>> It is THE trojan horse hiding in plain site and can access >>> EVERYTHING on your system that YOU have access to and >>> send it back to whatever destination the javascript was >>> written to send it to. >>> >>> Common people! JAVASCRIPT being executed by your >>> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! >> ---- >> http://en.wikipedia.org/wiki/Javascript >> >> Sandbox implementation errors >> >> Web browsers are capable of running JavaScript outside >> of the sandbox, with the privileges necessary to, for >> example, create or delete files. Of course, such privileges >> aren't meant to be granted to code from the web. >> >> What you have demonstrated is one of the many reasons not to run GUI as >> root but you only saw the files/folders that you could see with a tool >> like nautilus or dolphin with exactly the same privileges so I guess I >> can't understand your hysterics. >> >> If noscript gives you peace of mind, then use it. >> >> Craig >> >> > Why do you resort to name calling? > It is not hysterics. > A javascript sent by we site can, if written > to do so, open your files and upload them to > some remote site; and you call this hysterics? > Something is wrong with your thinking to resort > to name calling. > I think user's awareness, that javascripts are indeed > invasive and a great threat to privacy, needs to be > raised. Most users are unaware of this threat. > JD, if this was so blatantly easy, don't you think more people would be doing it? Even more so, don't you think implementers (say, Mozilla) would (and do) work around it? -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
