If you want to engage my argument — by all means; but unless you want to look childish, please avoid the ad-hominem attacks (you have no idea what I do or do not understand).
Even if you made a perfect browser [...] that implemented JavaScript to the exact EcmaScript specifications, you would still be vulnerable...
This is the point I was trying to make! The vulnerabilities are NOT the fault of the JavaScript language!
... because the XSS vulnerabilities exist in the web applications, not the browser. The design of JavaScript enables this,...
No, as you just admitted just a sentence ago, "the design of JavaScript" does NOT enable XSS!
In all three types of XSS (DOM Based, Reflected, and Persistent) the fault is with the programmer (writing browser-side JavaScript code in the DOM Based case and writing server-side code in the other two cases) not validating data they are using to manipulate the DOM (DOM Based) or generate the HTML returned by the server (Reflected, Persistent). The fact that HTML allows a <script> tag is the very root of what allows this to exist at all; where the real fault lies is with the lazy programmer who is not validating the data. Neither the existence of the tag in HTML or the laziness of the programmer is the fault of the JavaScript language.
because the separation between code and data is flimsy (you can insert JavaScript almost everywhere in HTML, with "on..." events -- you don't even need a script tag);
Well, what's "code" and what's "data" seems pretty clear to me, b is holding some "data"; there's a function getting called as part of some "code", etc; but I imagine you are trying to refer to something along the lines of:
The problem with referring to that though, is that's HTML, not JavaScript. (And you didn't title your comment thread HTML means no dice.) (Your assertion that you can "insert JavaScript almost everywhere" is flatly wrong too, btw; you can only insert it in <script> elements or in event hander attributes (onload, etc). You can throw <script> elements just about anywhere, but with JavaScript only existing in those two places, it's really not that hard to identify it as being "code".)
you couldn't do it unintentionally with a web browser that only understood Java, and a Java web application. JavaScript makes it very easy, just like C makes it easy to mishandle pointers and fixed length buffers. If C gets criticized for that, it's fair to criticize JavaScript for making XSS vulnerabilities easy.
More of the same... There is no reason someone couldn't (though plenty of reasons someone wouldn't) write a web browser that supported interpreting Java source code instead of JavaScript source code. And if that browser exposed the same host objects (like document) you'd have about an identical number of vulnerabilities, and the exact same XSS vulnerabilities.
Furthermore, mishandled pointers arise directly out of a the design of the C language, for the about fifth time in this
I can only assume that you access Slashdot using nothing more than a telnet client and rendering the HTML with your mind, because those web browsers, well, like you said, they make surfing teh intarweb "like inviting a stranger from an L.A. street into your car or home. You never know what you're getting every time you click a link[...]. I don't like to play russian roulette."
I'm hesitant to post this since it has nothing to do with the article, but here's some clarification from a Christian perspective on the whole tie between Islam, Judaism, and Christianity:
God makes a promise to Abram:
I will make you into a great nation
and I will bless you;
I will make your name great,
and you will be a blessing.
I will bless those who bless you,
and whoever curses you I will curse;
and all peoples on earth
will be blessed through you (Genesis 12)
When Abram reaches his 80s and is still childless, his wife, Sarai, decides that Abram should conceive with her maidservant, Hagar, so that they can finally begin their family (necessitated by the Lord's promise to make Abram a great nation). Abram and Hagar conceive and Hagar gives birth to Ishmael of whom it is prophesied:
"You are now with child
and you will have a son.
You shall name him Ishmael,
for the LORD has heard of your misery.
He will be a wild donkey of a man;
his hand will be against everyone
and everyone's hand against him,
and he will live in hostility
toward all his brothers." (Genesis 16)
Then Abram turns 99:
When Abram was ninety-nine years old, the LORD appeared to him and said, "I am God Almighty; walk before me and be blameless. I will confirm my covenant between me and you and will greatly increase your numbers."
Abram fell facedown, and God said to him, "As for me, this is my covenant with you: You will be the father of many nations. No longer will you be called Abram; your name will be Abraham, for I have made you a father of many nations. I will make you very fruitful; I will make nations of you, and kings will come from you. I will establish my covenant as an everlasting covenant between me and you and your descendants after you for the generations to come, to be your God and the God of your descendants after you. The whole land of Canaan, where you are now an alien, I will give as an everlasting possession to you and your descendants after you; and I will be their God."
Then God said to Abraham, "As for you, you must keep my covenant, you and your descendants after you for the generations to come. This is my covenant with you and your descendants after you, the covenant you are to keep: Every male among you shall be circumcised. You are to undergo circumcision, and it will be the sign of the covenant between me and you. For the generations to come every male among you who is eight days old must be circumcised, including those born in your household or bought with money from a foreigner--those who are not your offspring. Whether born in your household or bought with your money, they must be circumcised. My covenant in your flesh is to be an everlasting covenant. Any uncircumcised male, who has not been circumcised in the flesh, will be cut off from his people; he has broken my covenant."
God also said to Abraham, "As for Sarai your wife, you are no longer to call her Sarai; her name will be Sarah. I will bless her and will surely give you a son by her. I will bless her so that she will be the mother of nations; kings of peoples will come from her."
Abraham fell facedown; he laughed and said to himself, "Will a son be born to a man a hundred years old? Will Sarah bear a child at the age of ninety?" And Abraham said to God, "If only Ishmael might live under your blessing!"
Then God said, "Yes, but your wife Sarah will bear you a son, and you will call him Isaac. I will establish my covenant with him as an everlasting covenant for his descendants after him. And as for Ishmael, I have heard you: I will surely bless him; I will make him fruitful and will greatly increase his numbers. He will be the father of twelve rulers, and I will m
Your analogy with the red cross and boy scouts is really poor. Lobbying is the business of giving money / donations / etc in exchange for political influence. A lobbying donation to a congressman is quite different than a donation to a charitable organization.
Also, while some are pointing out that money to dems didn't go directly though Abramoff (true), it was Abramoff who told his clients where to put their money. It's a deception to believe that the money "directly from the tribes" wasn't actually money Abramoff was using... in fact he was the one directing it.
Further reading:
http://www.washingtonpost.com/wp-dyn/content/graph ic/2005/12/12/GR2005121200286.htmlhttp://www.washingtonpost.com/wp-dyn/content/graph ic/2006/01/18/GR2006011801026.html
My first reaction was "why can't the market take care of this" too. Broadcasters could just keep broadcasting in both analog and digital until the cost of doing the analog broadcasting exceeded cost of upsetting customers when they cut off analog broadcasting.
As I thought about it though, government intervention does seem somewhat justified. (My inner-libertarian can't believe I just wrote that.) The justification comes from the government wanting the frequencies back for emergency communication. $1.5B seems kind of steep for a frequency range, but viewing this change over as the government buying back a frequency range for emergency communication definitely makes this look much more justified than viewing it as "Big Media has Uncle Sam in it's pocket again."
I saw a similar thing (maybe the same, although I think it was shown on PBS actually) and I'm glad you made this post. With both gasoline as well as hydrogen fuel cells a lot of care has to be taken for safety, but because of the advantage of hydrogen's density it's arguably safer than gasoline.
Within a year, the Redmond, Wash.-based company plans to offer hosted implementations of SharePoint as well as CRM and ERP applications, several sources said.
And understand Microsoft makes software other than Windows and Office.
MS's move is about hosting enterprise applications (CRM, ERP, Sharepoint, e-mail) not Office or Windows. (Aside: I don't know how you would "host" an OS to begin with... I know there is speculation Google is trying to do this but I can't ever see a day when a web site manages processes, controls your video card, etc... ?!)
Hosted enterprise applications are all the rage, especially because a small business can't afford a massive CRM implementation, but they can pay a per-seat monthly license fee. And if MS is copying anyone, it's Salesforce.com - not Google. Salesforce.com is a hosted CRM application (one of the three main applications the article mentions MS about to offer as hosted). Google currently doesn't provide hosting for any enterprise applications.
If a voter makes his or her decision based on as trite as the President (correctly!) not allowing a parody site to use the Presidential seal I'm not sure I can respect that voter's vote. There are actual issues... Hurricane response, War on Terror, deficit... I hope most voters will make their voting decisions on these issues, not something petty.
A seal is an impression printed on, embossed upon, or affixed to a document (or any other object) in order to authenticate it, in lieu of or in addition to a signature. The word is also used to describe the device used to make this impression. The study of seals is known as sigillography.
It's a seal. It's supposed to show that something is authentic! You can't allow a seal to be used willy-nilly or it utterly loses its purpose, even if the offending use is in paraody material Slashdotters apparently love. (Or if it's the seal of a President Slashdotters apparently hate.)
I'm glad you know more than the Founding Fathers of the United States - all they did was put together a foundation for a stable government that's already lasted more than 200 years.
But then again, that "separation of powers" is so overrated anway, right?
This comment will probably get lost in the already tremendous number of posts, but I'm going to make it anyway because I couldn't find any other posts stating this.
While it's true "Creationism" is something not fit for a Science class, Intelligent Design *is*. "Creationism" is a teaching of the Biblical narrative on creation. Intelligent Design is a scientific theory just evolution and the two aren't mutually exclusive.
Intelligent Design simply asks the question "does the scientific evidence we have about how the Earth was create support the theory that the Earth was designed by an intelligent force rather than by mere chance?"
Then it's time to apply the scientific evidence to see if the theory holds any weight.
That's the basis of science... putting forward a theory and then measuring that theory against the facts. Intelligent Design (not creationism!!) is as much science as you can get!
Per the National Academy of Science's assertion that "Creationism, intelligent design, and other claims of supernatural intervention in the origin of life or of species are not science because they are not testable by the methods of science" - that's a bunch of crap. The assertion of evolution claiming that the universe evolved by chance is equally un-testable... we weren't around to watch the creation of the universe.
Anyway, that's probably enough time spent on a post that will likely never be read.
Slashdot Mirror
If you want to engage my argument — by all means; but unless you want to look childish, please avoid the ad-hominem attacks (you have no idea what I do or do not understand).
This is the point I was trying to make! The vulnerabilities are NOT the fault of the JavaScript language!
No, as you just admitted just a sentence ago, "the design of JavaScript" does NOT enable XSS!
In all three types of XSS (DOM Based, Reflected, and Persistent) the fault is with the programmer (writing browser-side JavaScript code in the DOM Based case and writing server-side code in the other two cases) not validating data they are using to manipulate the DOM (DOM Based) or generate the HTML returned by the server (Reflected, Persistent). The fact that HTML allows a <script> tag is the very root of what allows this to exist at all; where the real fault lies is with the lazy programmer who is not validating the data. Neither the existence of the tag in HTML or the laziness of the programmer is the fault of the JavaScript language.
OK.... let's look at some JavaScript :
var b = {x:'y', i:'z'};
doSomething(b);
Well, what's "code" and what's "data" seems pretty clear to me, b is holding some "data"; there's a function getting called as part of some "code", etc; but I imagine you are trying to refer to something along the lines of:
<html>
<head>
<script>var a = 1;</script>
</head>
<body onload="alert(a);">
</body>
</html>
The problem with referring to that though, is that's HTML, not JavaScript. (And you didn't title your comment thread HTML means no dice.) (Your assertion that you can "insert JavaScript almost everywhere" is flatly wrong too, btw; you can only insert it in <script> elements or in event hander attributes (onload, etc). You can throw <script> elements just about anywhere, but with JavaScript only existing in those two places, it's really not that hard to identify it as being "code".)
More of the same... There is no reason someone couldn't (though plenty of reasons someone wouldn't) write a web browser that supported interpreting Java source code instead of JavaScript source code. And if that browser exposed the same host objects (like document) you'd have about an identical number of vulnerabilities, and the exact same XSS vulnerabilities.
Furthermore, mishandled pointers arise directly out of a the design of the C language, for the about fifth time in this
First of all, you can't flatly blame the scripting language for the deficiencies of the hosting environment.
Secondly, I can't take your rant seriously. At all. There are a plethora of Web 1.0 ways to compromise modern browsers:Even lynx isn't safe .
I can only assume that you access Slashdot using nothing more than a telnet client and rendering the HTML with your mind, because those web browsers, well, like you said, they make surfing teh intarweb "like inviting a stranger from an L.A. street into your car or home. You never know what you're getting every time you click a link[...]. I don't like to play russian roulette."
Can you please elaborate with some details about these supposed "boiler explosion" level security concerns?
Greed has driven plenty of billiance -to- the USA
Lamar isn't a member of the Bush administration.
God makes a promise to Abram:
When Abram reaches his 80s and is still childless, his wife, Sarai, decides that Abram should conceive with her maidservant, Hagar, so that they can finally begin their family (necessitated by the Lord's promise to make Abram a great nation). Abram and Hagar conceive and Hagar gives birth to Ishmael of whom it is prophesied:
Then Abram turns 99:
Your analogy with the red cross and boy scouts is really poor. Lobbying is the business of giving money / donations / etc in exchange for political influence. A lobbying donation to a congressman is quite different than a donation to a charitable organization. Also, while some are pointing out that money to dems didn't go directly though Abramoff (true), it was Abramoff who told his clients where to put their money. It's a deception to believe that the money "directly from the tribes" wasn't actually money Abramoff was using ... in fact he was the one directing it.
Further reading:
http://www.washingtonpost.com/wp-dyn/content/graph ic/2005/12/12/GR2005121200286.html
http://www.washingtonpost.com/wp-dyn/content/graph ic/2006/01/18/GR2006011801026.html
For being a failure, he sure does have liberals (and apparently a good number of Slashdotters) wound up. What's that say about liberals?
My first reaction was "why can't the market take care of this" too. Broadcasters could just keep broadcasting in both analog and digital until the cost of doing the analog broadcasting exceeded cost of upsetting customers when they cut off analog broadcasting.
As I thought about it though, government intervention does seem somewhat justified. (My inner-libertarian can't believe I just wrote that.) The justification comes from the government wanting the frequencies back for emergency communication. $1.5B seems kind of steep for a frequency range, but viewing this change over as the government buying back a frequency range for emergency communication definitely makes this look much more justified than viewing it as "Big Media has Uncle Sam in it's pocket again."
It's not exactly a set-top box, but I currently use an EyeTV 500 to record over the air HDTV to my Mac. I love it.
Old news. http://www.smokinggun.com/code/sg_layout.php
I saw a similar thing (maybe the same, although I think it was shown on PBS actually) and I'm glad you made this post. With both gasoline as well as hydrogen fuel cells a lot of care has to be taken for safety, but because of the advantage of hydrogen's density it's arguably safer than gasoline.
MS's move is about hosting enterprise applications (CRM, ERP, Sharepoint, e-mail) not Office or Windows. (Aside: I don't know how you would "host" an OS to begin with
Hosted enterprise applications are all the rage, especially because a small business can't afford a massive CRM implementation, but they can pay a per-seat monthly license fee. And if MS is copying anyone, it's Salesforce.com - not Google. Salesforce.com is a hosted CRM application (one of the three main applications the article mentions MS about to offer as hosted). Google currently doesn't provide hosting for any enterprise applications.
If a voter makes his or her decision based on as trite as the President (correctly!) not allowing a parody site to use the Presidential seal I'm not sure I can respect that voter's vote. There are actual issues ... Hurricane response, War on Terror, deficit ... I hope most voters will make their voting decisions on these issues, not something petty.
I'm glad you know more than the Founding Fathers of the United States - all they did was put together a foundation for a stable government that's already lasted more than 200 years. But then again, that "separation of powers" is so overrated anway, right?
Ironically enough, today a line item veto ammendment was brought forth by Republican Senator Jim Talent of Missouri:d =85381
http://www.ksdk.com/news/news_article.aspx?storyi
This comment will probably get lost in the already tremendous number of posts, but I'm going to make it anyway because I couldn't find any other posts stating this.
... putting forward a theory and then measuring that theory against the facts. Intelligent Design (not creationism!!) is as much science as you can get!
... we weren't around to watch the creation of the universe.
While it's true "Creationism" is something not fit for a Science class, Intelligent Design *is*. "Creationism" is a teaching of the Biblical narrative on creation. Intelligent Design is a scientific theory just evolution and the two aren't mutually exclusive.
Intelligent Design simply asks the question "does the scientific evidence we have about how the Earth was create support the theory that the Earth was designed by an intelligent force rather than by mere chance?"
Then it's time to apply the scientific evidence to see if the theory holds any weight.
That's the basis of science
Per the National Academy of Science's assertion that "Creationism, intelligent design, and other claims of supernatural intervention in the origin of life or of species are not science because they are not testable by the methods of science" - that's a bunch of crap. The assertion of evolution claiming that the universe evolved by chance is equally un-testable
Anyway, that's probably enough time spent on a post that will likely never be read.