Slashdot Mirror
Google Goes On Offensive vs. JavaScript Attacks
alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months.
Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript.
'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."
User should just have an option to execute or not JS in the email text. Problem solved.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
JavaScript has long outlived its usefulness. If the trend is to write large-scale applications targeting the browser, we should at least do it with a real programming language, not a half-baked scripting language that was stuck into Netscape Navigator as a hack 15 years ago.
Google, Opera, Apple and Mozilla need to get languages like Python, Ruby, Scheme and Erlang available in the browser. You know, real languages with the features necessary to write larger and more secure applications. We should stop jerking around with JavaScript, a rather pathetic scripting language that has been pushed far past what it was ever intended to handle.
Like, wow... just wow.
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?
File under 'M' for 'Manic ranting'
I'd assume a vast majority of people don't even know what javascript is let alone why it is potentially dangerous. Sometimes you have to consider your users - which sometimes means you have to consider the ignorant, non-technical masses (ie: email users). Sure, you can feed them to the wolves, but it will come back and bite you somehow.
I will bend like a reed in the wind.
If your email client even knows how to execute Javascript (let alone makes decisions about whose scripts to trust and whose not to), then you're doing something wrong.
What's next, are people going to start building javascript interpreters into grub, iwconfig, pvcreate and ionice?
I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.
As always, this sentiment annoys me.
Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?
It's what I keep repeating time and again. Active content (Javascript, Flash, Java, ActiveX (ick!) is a very bad idea in a browser (an even worse idea in a mail reader). It's like having a gullible ward at the front door, willing to execute whatever instructions a complete stranger gives them.
Fuck "rich web experience". Rich means here "rich in exploits", nothing else.
And every "sandbox", "security container", whatnot -- just leads to a "Gödel, Escher, Bach"-style arms race.
I have a dream. That people understand the Internet as a means of conveying useful information, not "rich", "web", "experiences" or whatever incongruent marketeer's bable is "in" these days.
Lawn and that.
...an effective attack vector against mutt.
plain text : it was good enough for Shakespeare
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Going outside doesn't really help : plenty of ads there , and adblock doesn't work on them .
Slipping shoelaces ?