On 02/11/2016 02:42 AM, James Hogarth wrote:
On 11 February 2016 at 06:48, Tim <ignored_mailbox@xxxxxxxxxxxx
<mailto:ignored_mailbox@xxxxxxxxxxxx>> wrote:
Allegedly, on or about 10 February 2016, jd1008 sent:
> I am sorry to burst the bubble that was perpetrated by Sun
> Microsystems. I worked at Sun Microsystems as a contractor and
talked
> to a very senior developer at Menlo Park. I knew this developer from
> working with him in a previous company. Under my oath never to
reveal
> his name, he clued me in that the fictitious "sandbox" was the
entire
> system.
I'd go along with that, I never believed the sandbox thing. After
all,
you can upload any file of your choosing through a Java thing in a
website, and it could save a file to anywhere you selected. That's
hardly sandboxed.
And, if you went through the Java preferences, on those browsers that
gave you an extensive interface. You could select all sorts of
breakout
allowances, many of which were preset to allowed.
Just to bring things back to reality though. The claim was that
*javascript* could execute sudo commands and has full access to the
system (no sandbox) and that has nothing to do with java
applets/applications whatsoever.
False!
JS, when obediently executed by the browser, can write into any
directory writable by
the logged in user who is using the browser.
Similarly, it can also delete files from any directory writable by the
same user.
Perhaps you are simply unaware of all the aspects of Java and JS.
Have you perused and analyzed the entirety of the code and libraries
that the browser is built from? That Java and JS are built from? I
seriously DOUBT it.
The sheer size of that code makes it so time consuming to comb through
it thoroughly,
it (the code size) is the perfect place to hide security breaches from
the user. Couple that
with the fact that the sources and tools that build Java and JS are very
different to
the sources and tools on your system.
Are you aware that when you download the full browser source codes to
build on your system,
you will run into issues of library incompatibilities and tools versions
incompatibilities?
I have tried many times over the past 10 to 15 years.
Let us suppose that, after you downloaded all the sources (including the
system's libs and tools sources),
and you spend 5 years tracking down security holes and removing them,
and built the browser and javascript libs
free of such holes; then what? The next dnf update will overwrite all
that and replace it with infected software.
So, you see, it is a daunting enterprise to disinfect the system from
very well hidden security holes.
Couple all that with something called "code obfuscation"!!! It will be
well nigh impossible to read the code
and find the security holes.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
