Re: [Bulk] Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 15-10-2014 17:56, Kevin Chadwick wrote: > The address bar is one of the only things you can trust when browsing a > web page Provided your dns isn't spoofed. And you're are not being targeted with a mitm attack. And perhaps a few other things. But yeah, the address bar can normally be trusted. > Get rid of the address bar! and allow javascript everywhere, you > must work for Google;-) > It's funny you said that, because the POODLE vulnerability released yesterday (ironically from Google), besides needing a mitm attack, uses javascript on the user's browser for it's attack vector. People need more proof that javascript is harmful? Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On Tue, 7 Oct 2014 05:11:30 +0300 Matti Karnaattu wrote: > Like removing that stupid "web browser" > idiom that where is addressbar and back/forward buttons. The address bar is one of the only things you can trust when browsing a web page to the point that some mal-sites or mal-ads actually try to go full-screen and use a mock address bar within the page where incidentally the attack could be made much more effective/dangerous with javascript akin to the more widely known html for emails allowing fonts that make urls fool people. Get rid of the address bar! and allow javascript everywhere, you must work for Google ;-)
Re: openbsdstore: enable javascript and buy something or gtfo
On Mon, 06 Oct 2014 19:09:08 -0600 Theo de Raadt wrote: > > I think Matti is a goverment plant, or quite high in industry. > > Please people, ignore him. > > Let me explain Matti to you: > > 1. first I break your chmod. > 2. Oh you won't fall for that. bummer > 3. next I convince you that JS is good. > 4. While there, convince everyone Theo is the reason JS is everywhere. > > Either he's a plant, or you are all stupid. > My vote's for the latter. At the organizational level of clusterf*k and above, malevolent conspiracy and plain blind stupidity are functionally indistinct. Dhu > > > We can't all be this stupid, and I have never been responsible for > any of your actions -- even if you fall for a person on a @gmail.com > account like that. > > He got a fake finnish name, but I bet he lives in the US or UK! > > -- Ne obliviscaris, vix ea nostra voco.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
>You are on the wrong list. Ok. I will unscribe myself for.. eternity. Because I obviously have hurt feelings. Especially yours, Theo. I did not intentionally do that. And I have _never_ bashed you. And I actually never got what makes you so upset. I'm enthusiast to tech without religion. Agnostic doesnt care that much about. something, what is apparently extremely important to you. Kindest thing you have ever said to me is that I'm government plant. Well, I'm not and I don't work Google either. But I think that is kind because I believe that it should be hard to make you to believe that. It is better to me to disappear because it probably more beneficial to me put my free time effort when I'm between jobs to somewhere else than finding bugs from OpenBSD. Theo, bruteforce stress testing for OpenBSD went better than I expected. Surprisingly little amount of fails. Sometimes when I debate, it gets out of hands. I should have quit this thread when I said that. My apologies. For everyone.
Re: openbsdstore: enable javascript and buy something or gtfo
Matti Karnaattu wrote >How I can have you to be more relaxed? With beer? Just what I need. Life support on drunk programs writ by drunk programmers. Please. You are a threat to my continued existence.
Re: openbsdstore: enable javascript and buy something or gtfo
>next I convince you that JS is good. I said that it crappy, but it happens that crap gets adopted standard. It just happens, it has happened before and when the shit works and solve compatibility issues by having adopted standard, it is useful. What can I do for that?! It is problem in IT-industry that every player want to smuggle patent into standards or want to make own tech to adopted and demand royalties. Then everyone make own incompatible version on same thing and others make new abstraction layer of shit to make things again compatible. The reason why I think JS is great is that all players in IT-industry are commited to support it. ~everyone tried to put own proprietary tech to same use and failed. Now everyone are given up, and support that JS and now it WORKS. It is good to everyone support that portable technology because now their own native ecosystems looks better and they can make users to depend on them. And oneone can't stop supporting JS either because then software stops working.. -> we got established standard. I also think that this is again new abstraction layer of shit but it is kind of inevitable while IT industry failed to make standard hardware architecture and top of HW, there is C code that is depending on build technology from 70's. > While there, convince everyone Theo is the reason JS is everywhere. I didn't mess you to this discussion and I haven't bashed you everywhere, never. I actually respect your work, but you behave like I've got you on your toes. How I can have you to be more relaxed? With beer?
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
> >but at the same time using the conversation to hurt people trying to > >build something simpler. > > It is not meant to hurt anyone. "I didn't mean to kill that guy when I was doing 250km" > It is just that sometimes happens event called "disruptive innovation". You tried to break chmod. Please innovate elsewhere. > When it happens, it is good to sit down and think, why that happened and > why I was so stupid to not to realize that myself, because there are > some good reasons always what make that event possible. It is also > stupid to ignore that event ever happened. Yes, it is good to sit down and think. > This conversation brings me a lot of ideas what should be done when > building something simple.. Like removing that stupid "web browser" > idiom that where is addressbar and back/forward buttons. You are on the wrong list. > How about changeing "web browser" to "app launcher". You must be really full of yourself, because you are on the wrong mailing list. > Someting like "launch https://application.com"; and that app launcher is > designer to be app container. Application is started for local or remote > computer, enforces security restricting access to local resources and > remote servers and even know window coordinates so every application > is launched on correct position on screen. And Javascript console.log > can put stuff to stdout, errors to stderr... You are on the wrong list. > That can be also then use to make more complex user interfaces, > integrating several applications to one view. Hell yeah, more I think, > I just don't even want to use anything else than those, terminal > windows and X for legacy apps. You are on the wrong list.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
>but at the same time using the conversation to hurt people trying to >build something simpler. It is not meant to hurt anyone. Optimal complexity is when there is nothing you like to add and nothing you like to remove. It is just that sometimes happens event called "disruptive innovation". When it happens, it is good to sit down and think, why that happened and why I was so stupid to not to realize that myself, because there are some good reasons always what make that event possible. It is also stupid to ignore that event ever happened. I didn't understand myself right away that iPhone was such a event (and I'm not Apple fanboy at all). This conversation brings me a lot of ideas what should be done when building something simple.. Like removing that stupid "web browser" idiom that where is addressbar and back/forward buttons. How about changeing "web browser" to "app launcher". Someting like "launch https://application.com"; and that app launcher is designer to be app container. Application is started for local or remote computer, enforces security restricting access to local resources and remote servers and even know window coordinates so every application is launched on correct position on screen. And Javascript console.log can put stuff to stdout, errors to stderr... That can be also then use to make more complex user interfaces, integrating several applications to one view. Hell yeah, more I think, I just don't even want to use anything else than those, terminal windows and X for legacy apps. It can also change world better if defaults are secure and that app launcher is adopted.
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:37, Theo de Raadt wrote: > I love this conversation. > > Hey don't trust OpenBSD, because the new (outsourced) store uses Javascript. Never, in any moment in the thread I said that the store shouldn't be trusted. > But trust Matti and Giancarlo's email headers. While we are at it, why should I trust that you're really Theo? > > The conversation is not ludicrous. Matti and Giancarlo are either > stupid, or they work for someone who wants to fool everyone. Only speaking for myself here, but neither of the options. > > Giancarlo, you are really special to me. > You too Theo. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:31, Theo de Raadt wrote: > You are the troll; he is the plant. > All right. Will end the discussion now. Just rest assured I'm not working it any goverment agency, IT big enterprise and do not have any hidden agenda. Bye [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: openbsdstore: enable javascript and buy something or gtfo
> On 06-10-2014 22:23, Theo de Raadt wrote: > > And you are UK or US as well. Nice Italian name, but you are likely > > part of the same parcel. Thanks for replying so fast! > Hahahahha. Brazilian Theo. Italian descendent. You can check my headers=20 > and you'll see. Don't be so paranoid. And I'm not feeding the troll any=20 > further, don't worry. I love this conversation. Hey don't trust OpenBSD, because the new (outsourced) store uses Javascript. But trust Matti and Giancarlo's email headers. The conversation is not ludicrous. Matti and Giancarlo are either stupid, or they work for someone who wants to fool everyone. Giancarlo, you are really special to me.
Re: openbsdstore: enable javascript and buy something or gtfo
> On 06-10-2014 22:23, Theo de Raadt wrote: > > And you are UK or US as well. Nice Italian name, but you are likely > > part of the same parcel. Thanks for replying so fast! > Hahahahha. Brazilian Theo. Italian descendent. You can check my headers > and you'll see. Don't be so paranoid. And I'm not feeding the troll any > further, don't worry. You are the troll; he is the plant.
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:23, Theo de Raadt wrote: > And you are UK or US as well. Nice Italian name, but you are likely > part of the same parcel. Thanks for replying so fast! Hahahahha. Brazilian Theo. Italian descendent. You can check my headers and you'll see. Don't be so paranoid. And I'm not feeding the troll any further, don't worry. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
>If any of these end up being better than JS, >I don't see any reason not to use them. I think everyone of these are better if you don't care about portability. >I prefer to use a desktop application for those instead >of running them from my browser. Just saying. There isn't much new desktop applications done lately, except for web.. I have my data in my servers, but I would like if I can manipulate everything directly with web interface in my network. That would be clean architecture. >you always should check your inputs, >even software that run only on the server side. Sure. I even employ DbC in my functions too..
Re: openbsdstore: enable javascript and buy something or gtfo
> On 06-10-2014 22:09, Theo de Raadt wrote: > > He got a fake finnish name, but I bet he lives in the US or UK! > From the e-mail headers, US. Don't worry Theo, I won't be feeding the > troll any further. Just don't like stupid people spreading > misinformation. Others might believe it. And you are UK or US as well. Nice Italian name, but you are likely part of the same parcel. Thanks for replying so fast!
Re: openbsdstore: enable javascript and buy something or gtfo
On 06/10/14 9:01 PM, Matti Karnaattu wrote: Browsers are getting slower all the time. Bullshit. Try this: http://peacekeeper.futuremark.com Actually it isn't bullshit. It is the truth. You just fail to understand what he means. Newer browsers run software faster. Ancient browsers may even fail tests. and yet browsers on some of my systems run software slower and each release is getting slower and slower. There is no good reason a quad core system with 6GB of RAM should run a browser like its molasses on a cold winter day, but that's the way it is with the bloated ass crap we have called web browsers. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 22:09, Theo de Raadt wrote: > He got a fake finnish name, but I bet he lives in the US or UK! From the e-mail headers, US. Don't worry Theo, I won't be feeding the troll any further. Just don't like stupid people spreading misinformation. Others might believe it. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: openbsdstore: enable javascript and buy something or gtfo
> I think Matti is a goverment plant, or quite high in industry. > Please people, ignore him. Let me explain Matti to you: 1. first I break your chmod. 2. Oh you won't fall for that. bummer 3. next I convince you that JS is good. 4. While there, convince everyone Theo is the reason JS is everywhere. Either he's a plant, or you are all stupid. We can't all be this stupid, and I have never been responsible for any of your actions -- even if you fall for a person on a @gmail.com account like that. He got a fake finnish name, but I bet he lives in the US or UK!
Re: openbsdstore: enable javascript and buy something or gtfo
I think Matti is a goverment plant, or quite high in industry. Please people, ignore him.
Re: openbsdstore: enable javascript and buy something or gtfo
>You mean, there is _legislation_ on how to write software? Some industries, yes. But this is not related to JS. Practically whole IT-industry supports JS. If you like to do portable application programming, you have to write JS or compile your code to JS if you want to get that working everywhere. >You mean, unlike C? Write graphical application, Hello World is enough, that should work on all desktops, workstations, tablet, pocket/phone and game console. It must work all supported versions and all HW architectures. End users must not need to compile code. Just run ready software. Now, do you see why C isn't portable by today standards? >Your browser is written in what language exactly? Application programmer doesn't need to know anything below browser. It is very strong interface. Something like libc. When someone writes some command line tool, there is no need to know what is below libc. >"Running PHP code top of Java stack"? >What on earth are you talking about? Portable application source is JS or compiled to JS (from Coffeescript, Typescript etc.). There is libraries and frameworks but they all run top of browser where everything is JS. In server side, below is libc and top of that there is Ruby, Java, C#, Python, PHP, C, C++, node.js etc. software stacks. And there is often code mixed from other software stacks and all those stacks of course are running. >Browsers are getting slower all the time. Bullshit. Try this: http://peacekeeper.futuremark.com Newer browsers run software faster. Ancient browsers may even fail tests. >Wah have had it for decades. There were JS applications made ten years ago, yes. It matured 2009 or something to be very usable. Before it was slow, buggy, some browsers were limited and it required much effort to make the crap working. In past year, JS technology is matured to that level there isn't much limitations any more. >You really _are_ trolling, right? I'm not. You just can't practically make portable application without JS or language that is compiled to JS. I think that is the biggest industry changing trend what is caused by iPhone. Before that, there was libc and some nice library like GTK+ or some other, you can write software that can compile and run about everywhere. Then Steve pulled iPhone from jeans pocket, iPhone was very closed ecosystem, useful and popular and changed application programming. You are very ignorant if you didn't notice that. Did you notice that Google, Microsoft and Canonical began to do the same? It also matters when over 99% of frontends are from these companies + game consoles too, which have always been restricted. It is impossible to application programmer to ignore that. Especially when everyone seems to be dropping out, deprecating or put second-class citizen status those technologies that makes possible to write easily portable software without JS. Example: -Apple has removed X from Mac OS -Both Red Hat and Canonical seems to be abanoning X -Microsoft is starting to upgrade OS once a year or something and advertise "unified OS". In Windows 8, all but WinRT and HTML5 apps works terribly. -Microsoft restricted new WinRT API to Microsoft store -Apple has deprecated Carbon -Those application stores are under control Simply, application programmer is pushed to JS stack if you want to make application portable, so that it also has a continuity. You never know when Win32, or some other backbone is dropped or it is available only in some embedded edition. It is also realized by Qt, because QML can run top of runtime, in environment where you just can't compile C++ for some reason. Of course it doesn't matter if application doesn't have to be portable. Just write C# for WinRT or C for OpenBSD + GTK+3 and be happy.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
Great conversation... Somehow you guys spend all your time whining about complicated deep technologies like Java / Javascript -- condemning them for their nasty complexity -- but at the same time using the conversation to hurt people trying to build something simpler. Who do you work for? Governments?
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 17:48, Matti Karnaattu wrote: > Node.js I've used it, and there is too much hype about it. It has it's uses, but can be replaced with other non javascript technologies, at least from the server side. > And this is current status. Apple, Canonical, Google and Microsoft > pushing their own competing front end ecosystems. And there is still > HTML/JS which is portable. > > I see current situation very ideal. If any of these end up being better than JS, I don't see any reason not to use them. > Not all applications are for that. Let's say, numerical analysis software, > video conferencing, electrical planning software.. or how about IDE with > realtime code analysis? I said a great deal is for it. Of course not all of them. But, the examples you gave aren't the best ones. I prefer to use a desktop application for those instead of running them from my browser. Just saying. > > It is very useful to see bugs while I write code without need to > compile. It is even useful in Word Processing to have real time spell > checking. > > These are not just cosmetic things. That's why you have scripting languages. Javascript is just another one that happens to be the *only* one in the client side. > Of course I control. It very possible to white list / black list > domains. It possible to limit all scripts to be launched from same > trusted domain > where I launch application. It is possible to install whole application > to own server if I want. It is possible to put whole application instance to > sandbox and require permission to camera, or limit memory usage. All > data client sends is possible to control and monitor. Well, this thread started because the OP not only controls what JS he opens in his browser, but he do not allow any. We already established that you can control, and allow or not it. The main issues are, the huge potential for misuse and the plethora of JS that tag along when you open a site and it start pulling scripts from thirdy parties, most of the time, not even encrypted. > > In security point of view, who manages server can't control what happens > in client side. Not always true. > Client is always untrusted and input need to check. This goes without saying. I go even further, you *always* should check your inputs, even software that run only on the server side. > Client > however can't control what happens in server. Also, not always true. > Client have to trust > server where data is send. The main point of this discussion. The internet is the most hostile environment possible. The browser, which acts in your behalf, shouldn't *have* to trust whichever the server sends and run it unrestricted. This design is flawed. > Everything else can be controlled. Biggest bullshit you wrote in this entire thread. > And JS is for making app. But it's not the *only* option. This is one of the greatest points of mobile apps. You can choose how to do things. Even on the apple world, which is way more restricted than the android one. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
> But none of them require javascript to function. Node.js >What is not a good thing is to have just one standard. That's never >good. And this is current status. Apple, Canonical, Google and Microsoft pushing their own competing front end ecosystems. And there is still HTML/JS which is portable. I see current situation very ideal. >A great deal in which javascript is used is to make cosmetic things pop >in your browser that you really doesn't need for getting what you need: >information. Not all applications are for that. Let's say, numerical analysis software, video conferencing, electrical planning software.. or how about IDE with realtime code analysis? It is very useful to see bugs while I write code without need to compile. It is even useful in Word Processing to have real time spell checking. These are not just cosmetic things. >The problem with javascript, that we are pointing and you're not listening, >is that you don't control what is run. Of course I control. It very possible to white list / black list domains. It possible to limit all scripts to be launched from same trusted domain where I launch application. It is possible to install whole application to own server if I want. It is possible to put whole application instance to sandbox and require permission to camera, or limit memory usage. All data client sends is possible to control and monitor. In security point of view, who manages server can't control what happens in client side. Client is always untrusted and input need to check. Client however can't control what happens in server. Client have to trust server where data is send. Everything else can be controlled. >even then, you would probably be using an app. And JS is for making app.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
>however it *is* realistic and reasonable to *limit* >the cross-site JS code that is only there for the use of other third >parties. I agree. I filter too crap away. Javascript itself is not problem.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 06-10-2014 14:20, Matti Karnaattu wrote: > I strongly disagree. > > In server side there is vast amount of different software stacks build > top of C library and they are incompatible. Running PHP code top of > Java stack just doesn't work. But none of them *require* javascript to function. > > In client side, there has ongoing for several years a huge shift where > ~all client code runs top of HTML/JS. And this is very remarkable > because client side code doesn't any longer care what is below that > HTML/JS environment. The umbilical cord for C language stack or OS is > cut off, and practically all major players in IT-industry are committed > for that. Of course it's nice to have a standard on the browsers and they, almost, always speak the same language. But there will always be an umbilical cord with C. Even the almighty browser need an OS to run on top of it. I don't see that changing in the near future. > > Imagine that if late ninetees, whole IT industry has decided to cut off > all legacy and start to compile only Java byte code to Java API. All > applications work every computer without recompiling, and Java runtime > removes hardware and OS dependency, isolating all applications to > sandboxes that restrict memory, disk space, filesystem access etc. > > That would have been great, but Sun Microsystem withdraw from > standardization process, Microsoft implementation was totally > incompatible, and while Java was proprietary it was not accepted by open > source communities any more than Sun Microsystem competitors. It would never happen. Java isn't all that great and even if Sun painted it gold, it would never take off. There is a reason why the web is dominated by scripting languages these days. And the reason isn't why sun didn't pushed for standardization, or anythin like that. Is because java sucks. > > But now, it is a totally new game. Javascript is standard, there is open > source implementations and they are compatible. World is changed that > HTML/JS is global standard for application frontends. > > And then there is local 'standards', "ecosystems", if there is need to > make exclusive application for Apple or something. These competing local > standards keep development running. On the web, everybody should speak the same language. And that's a good thing. What is not a good thing is to have just one standard. That's never good. > Maybe one in thousand. These were more popular back then when > computers were slow and browsers immature, something like 7 years ago. > > Past two years, almost no one used these because applications doesn't > work without JS. Well, if you take just the downloads of the tor browser alone, there are a lot of people using noscript. You're speaking bullshit. Things are turning in the oposite direction. Sites that enhance the privacy of their users, will get competitive advantage. > You can't create applications without JS. Example, think about how > mapping software are done with realtime pathfinding. Cosmetic things that aren't needed unless you're using a mobile browser, even then, you would probably be using an app. > Disabling Javascript is like disabling ability to run modern application > software. It is same if I just turn off computer. It is then secured. A great deal in which javascript is used is to make cosmetic things pop in your browser that you really doesn't need for getting what you need: information. There are good uses of it of course, but it's not needed for making a great application. > So it is better to download unknown application binary from when you > like to see map? And think about effort to make that application to > Android API, Cocoa, GTK+ 2, Qt and WinRT. Yes. It is better. It's made for that. The problem with javascript, that we are pointing and you're not listening, is that you don't control what is run. If I download a binary application, even if it's not ideal, I can inspect what it's doing with debuggers, network capture, etc. It's not the best thing, but you can, if you want to. With JS when I go to a site, they starting pulling third parties scripts, that pull others, and others. And it's a nightmare to see what's happening. > > Or, just make application to HTML/JS and that run everywhere in > sandbox without hassle. Portability matters. That's the job of the browser, and things are headed that way. But until we get there, I'll keep using noscript. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On Mon, 6 Oct 2014, Matti Karnaattu wrote: > Disabling Javascript is like disabling ability to run modern application > software. It is same if I just turn off computer. It is then secured. > Sorry, that is totally bogus! The **FIRST** thing one should do when sitting down at a new browser is install NoScript [which is the most important reason TO use Firefox] and CookieMonster, so you can SEE what JS code is running and have the option to block individual sites. I interpreted the comment to which you are referring as 'controlling' what JS is running, so YOU have the choice as to whether to allow tracking code (e.g. googleanalytics) or block. As you state, it is *not* possible to use anything more than a basic website without JS, however it *is* realistic and reasonable to *limit* the cross-site JS code that is only there for the use of other third parties. Lee
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
>Except it doesn't, server side code is more universal. I strongly disagree. In server side there is vast amount of different software stacks build top of C library and they are incompatible. Running PHP code top of Java stack just doesn't work. In client side, there has ongoing for several years a huge shift where ~all client code runs top of HTML/JS. And this is very remarkable because client side code doesn't any longer care what is below that HTML/JS environment. The umbilical cord for C language stack or OS is cut off, and practically all major players in IT-industry are committed for that. Imagine that if late ninetees, whole IT industry has decided to cut off all legacy and start to compile only Java byte code to Java API. All applications work every computer without recompiling, and Java runtime removes hardware and OS dependency, isolating all applications to sandboxes that restrict memory, disk space, filesystem access etc. That would have been great, but Sun Microsystem withdraw from standardization process, Microsoft implementation was totally incompatible, and while Java was proprietary it was not accepted by open source communities any more than Sun Microsystem competitors. But now, it is a totally new game. Javascript is standard, there is open source implementations and they are compatible. World is changed that HTML/JS is global standard for application frontends. And then there is local 'standards', "ecosystems", if there is need to make exclusive application for Apple or something. These competing local standards keep development running. >Any idea how many noscript users there are amongst other filters and >browsers like xombrero. Maybe one in thousand. These were more popular back then when computers were slow and browsers immature, something like 7 years ago. Past two years, almost no one used these because applications doesn't work without JS. >Simple HTML5 features and CSS3 are welcome by me but even JIT for >performance annoys me. I'd rather they fixed the bugs and memory leaks >and let me use websites in style and confidence. You can't create applications without JS. Example, think about how mapping software are done with realtime pathfinding. >If you had looked into browser vulnerabilities you would see that the >*vast* majority even ones which do not mention that javascript is the >issue can be avoided by disabling javascript or the issue is javascript >related. Disabling Javascript is like disabling ability to run modern application software. It is same if I just turn off computer. It is then secured. >If I want to run an even more complex app then I would much prefer to >to do just that and run the web based dedicated application separately >which any decent application needs anyway (application or plugin) and >making it pointless bloat. So it is better to download unknown application binary from when you like to see map? And think about effort to make that application to Android API, Cocoa, GTK+ 2, Qt and WinRT. Or, just make application to HTML/JS and that run everywhere in sandbox without hassle. Portability matters.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
People wrote: > There are two things which irritates me in computing: > > 1. Need of security updates > 2. Two pieces of technology which are not compatible with each other. > > I'm GLAD that finally we have Javascript. At last, we have language and > platform that WORKS universally. Except it doesn't, server side code is more universal. Any idea how many noscript users there are amongst other filters and browsers like xombrero. > It is simply wonderful. Best thing after invetion of WWW. Wonderful yet the need for security updates irritates you??? If you had looked into browser vulnerabilities you would see that the *vast* majority even ones which do not mention that javascript is the issue can be avoided by disabling javascript or the issue is javascript related. >> (hey, even PayPal works without JS !) Shortly before the recent security breaches I thankfully left paypal partly because they started requiring javascript but mainly because they were showing a technical lack of security understanding. Are you saying that they have reverted requiring javascript? > The thing is that web is more than "web sites". It is also full of > applications and these are totally mixed. Simple HTML5 features and CSS3 are welcome by me but even JIT for performance annoys me. I'd rather they fixed the bugs and memory leaks and let me use websites in style and confidence. If I want to run an even more complex app then I would much prefer to to do just that and run the web based dedicated application separately which any decent application needs anyway (application or plugin) and making it pointless bloat.
Re: openbsdstore: enable javascript and buy something or gtfo
>1. OpenBSD is a great example of the difference that having security as >a primary design and development objective makes, unlike most other >OSes (including all flavors of linux) which do "added" security. Yes, primary objective. Definitely. It is also form of "added" security, because it is based on constantly iterating and auditing old source and design. It isn't made cleanroom software development process from ground up. Of course, me and probably everyone else here appreciate the real security which is achieved by correcting the bugs. >A quick look at [0] demonstrates your utter ignorance of EAL I know EAL. My point was that ancient unsecure stuff can be secured by auditing, re-engineering and using mitigation. OpenBSD is prime example. These methods also apply running Javascript. >It's probably high time to let this utterly degenerated thread die.. I agree. It has done its purpose when Matthew pointed that sandboxing is not implemented in Chromium or Firefox.
Re: openbsdstore: enable javascript and buy something or gtfo
On Sun, Oct 05, 2014 at 11:36:33AM +0200, Ingo Schwarze wrote: > Hi, > > talking about setting the record straight... > > System Administrator wrote on Sat, Oct 04, 2014 at 11:57:56PM -0400: > > > 2. Open*BSD* as the name implies, had no "decades old" Unix code and > > by now has had much of the _original_ BSD code replaced as well. > > The ancestors of OpenBSD are, in direct line only: > > * Version 1 AT&T UNIX (Nov. 1971) > * Version 2 AT&T UNIX (June 1972) based on v1 > * Version 3 AT&T UNIX (Feb. 1973) based on v2 > * Version 4 AT&T UNIX (Nov. 1973) based on v3 > * Version 5 AT&T UNIX (June 1974) based on v4 > * Version 6 AT&T UNIX (May 1975) based on v5 > * PWB/UNIX 1.0 (July 1977) based on v6 > * 1BSD (Mar. 1978) based on v6 > * Version 7 AT&T UNIX (Jan. 1979) based on v6 and PWB > * 2BSD (May 1979) based on v6 > * Version 32v AT&T UNIX (May 1979) based on v7 > * 3BSD (Feb. 1980) based on 32v and 2BSD > * 4.0BSD(Nov. 1980) based on 3BSD > * 4.1BSD(June 1981) based on 4.0BSD > * 4.1aBSD (May 1982) based on 4.1BSD > * 4.1cBSD (Dec. 1982) based on 4.1aBSD > * 4.2BSD(Sep. 1983) based on 4.1cBSD > * 4.3BSD(July 1986) based on 4.2BSD > * 4.3BSD-Tahoe (June 1988) based on 4.3BSD > * BSD Net/1 (Mar. 1989) based on 4.3BSD-Tahoe > * 4.3BSD-Reno (June 1990) based on Tahoe and Net/1 > * BSD Net/2 (Aug. 1991) based on 4.3BSD-Reno > * 386BSD 0.0(Mar. 1992) based on Net/2 > * 386BSD 0.1(July 1992) based on 386BSD 0.0 > * NetBSD 0.8(Apr. 1993) based on 386BSD 0.1 > * 4.4BSD(June 1993) based on Reno and Net/2 > * NetBSD 0.9(Aug. 1993) based on NetBSD 0.8 > * 4.4BSD-Lite1 (Apr. 1994) based on 4.4BSD > * NetBSD 1.0(Oct. 1994) based on NetBSD 0.9 and 4.4BSD-Lite1 > * 4.4BSD-Lite2 (June 1995) based on 4.4BSD-Lite1 > * OpenBSD 1.2 (July 1996) based on NetBSD 1.0 > * OpenBSD 2.0 (Oct. 1996) based on OpenBSD 1.2 and 4.4BSD-Lite2 > > It is true that much of the original BSD code has been replaced. > But looking closely, you will still find decades old code from > almost all BSD releases. Compare, for example, > > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/expand/expand.c?annotate=HEAD > > to > > http://minnie.tuhs.org/cgi-bin/utree.pl?file=1BSD/s6/expand.c > > in particular the main loop. Yes, much of the code has been amended, > but some parts remain unchanged since more than 36 years ago. > According to the Berne Convention, that file still contains text > covered by Bill Joy's Copyright, even though - following U.S. > Copyright law - the Copyright Notice only mentions The Regents. > That is just one of no doubt many examples. > > It is even possible that OpenBSD still contains traces of decades > old AT&T UNIX code. Good candidates for looking are the following 23 > files, see http://www.groklaw.net/article.php?story=20041126130302760 : > > sys/kern/init_main.c > sys/kern/kern_clock.c > sys/kern/kern_exec.c > sys/kern/kern_exit.c > sys/kern/kern_physio.c > sys/kern/kern_sig.c > sys/kern/kern_synch.c > sys/kern/subr_rmap.c > sys/kern/sys_generic.c > sys/kern/sys_process.c > sys/kern/tty.c > sys/kern/tty_subr.c > sys/kern/vfs_bio.c > sys/kern/vfs_syscalls.c > sys/sys/buf.h > sys/sys/proc.h > sys/sys/tty.h > sys/ufs/dinode.h > sys/ufs/inode.h > sys/ufs/ufs_bmap.c > sys/ufs/ufs_disksubr.c > sys/ufs/ufs_inode.c > sys/ufs/ufs_vnops.cl > > I checked init_main.c, and it still says: > > * (c) UNIX System Laboratories, Inc. > * All or some portions of this file are derived from material licensed > * to the University of California by American Telephone and Telegraph > * Co. or Unix System Laboratories, Inc. and are reproduced herein with > * the permission of UNIX System Laboratories, Inc. > > I'm too lazy now to check whether any of that code *actually* still > remains or if it has *incidentally* all been replaced since. In > any case, i'm not aware that there ever was any *intentional* effort > to replace AT&T UNIX code in these files. So your claim that none > remains seems somewhat bold to me. Then again, if any remains, it > is certainly not a large amount. > > History is fun (litigation not so much). > > Yours, > Ingo And please keep in mind that the statement "old code = bad code" is not true. Old code can be bad or good, just like new code. -Otto
Re: openbsdstore: enable javascript and buy something or gtfo
Hi, talking about setting the record straight... System Administrator wrote on Sat, Oct 04, 2014 at 11:57:56PM -0400: > 2. Open*BSD* as the name implies, had no "decades old" Unix code and > by now has had much of the _original_ BSD code replaced as well. The ancestors of OpenBSD are, in direct line only: * Version 1 AT&T UNIX (Nov. 1971) * Version 2 AT&T UNIX (June 1972) based on v1 * Version 3 AT&T UNIX (Feb. 1973) based on v2 * Version 4 AT&T UNIX (Nov. 1973) based on v3 * Version 5 AT&T UNIX (June 1974) based on v4 * Version 6 AT&T UNIX (May 1975) based on v5 * PWB/UNIX 1.0 (July 1977) based on v6 * 1BSD (Mar. 1978) based on v6 * Version 7 AT&T UNIX (Jan. 1979) based on v6 and PWB * 2BSD (May 1979) based on v6 * Version 32v AT&T UNIX (May 1979) based on v7 * 3BSD (Feb. 1980) based on 32v and 2BSD * 4.0BSD(Nov. 1980) based on 3BSD * 4.1BSD(June 1981) based on 4.0BSD * 4.1aBSD (May 1982) based on 4.1BSD * 4.1cBSD (Dec. 1982) based on 4.1aBSD * 4.2BSD(Sep. 1983) based on 4.1cBSD * 4.3BSD(July 1986) based on 4.2BSD * 4.3BSD-Tahoe (June 1988) based on 4.3BSD * BSD Net/1 (Mar. 1989) based on 4.3BSD-Tahoe * 4.3BSD-Reno (June 1990) based on Tahoe and Net/1 * BSD Net/2 (Aug. 1991) based on 4.3BSD-Reno * 386BSD 0.0(Mar. 1992) based on Net/2 * 386BSD 0.1(July 1992) based on 386BSD 0.0 * NetBSD 0.8(Apr. 1993) based on 386BSD 0.1 * 4.4BSD(June 1993) based on Reno and Net/2 * NetBSD 0.9(Aug. 1993) based on NetBSD 0.8 * 4.4BSD-Lite1 (Apr. 1994) based on 4.4BSD * NetBSD 1.0(Oct. 1994) based on NetBSD 0.9 and 4.4BSD-Lite1 * 4.4BSD-Lite2 (June 1995) based on 4.4BSD-Lite1 * OpenBSD 1.2 (July 1996) based on NetBSD 1.0 * OpenBSD 2.0 (Oct. 1996) based on OpenBSD 1.2 and 4.4BSD-Lite2 It is true that much of the original BSD code has been replaced. But looking closely, you will still find decades old code from almost all BSD releases. Compare, for example, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/expand/expand.c?annotate=HEAD to http://minnie.tuhs.org/cgi-bin/utree.pl?file=1BSD/s6/expand.c in particular the main loop. Yes, much of the code has been amended, but some parts remain unchanged since more than 36 years ago. According to the Berne Convention, that file still contains text covered by Bill Joy's Copyright, even though - following U.S. Copyright law - the Copyright Notice only mentions The Regents. That is just one of no doubt many examples. It is even possible that OpenBSD still contains traces of decades old AT&T UNIX code. Good candidates for looking are the following 23 files, see http://www.groklaw.net/article.php?story=20041126130302760 : sys/kern/init_main.c sys/kern/kern_clock.c sys/kern/kern_exec.c sys/kern/kern_exit.c sys/kern/kern_physio.c sys/kern/kern_sig.c sys/kern/kern_synch.c sys/kern/subr_rmap.c sys/kern/sys_generic.c sys/kern/sys_process.c sys/kern/tty.c sys/kern/tty_subr.c sys/kern/vfs_bio.c sys/kern/vfs_syscalls.c sys/sys/buf.h sys/sys/proc.h sys/sys/tty.h sys/ufs/dinode.h sys/ufs/inode.h sys/ufs/ufs_bmap.c sys/ufs/ufs_disksubr.c sys/ufs/ufs_inode.c sys/ufs/ufs_vnops.cl I checked init_main.c, and it still says: * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. I'm too lazy now to check whether any of that code *actually* still remains or if it has *incidentally* all been replaced since. In any case, i'm not aware that there ever was any *intentional* effort to replace AT&T UNIX code in these files. So your claim that none remains seems somewhat bold to me. Then again, if any remains, it is certainly not a large amount. History is fun (litigation not so much). Yours, Ingo
Re: openbsdstore: enable javascript and buy something or gtfo
Responding here at the risk of continuing to feed the troll, but in the interest of setting the record straight (i.e. for the archives). On 4 Oct 2014 at 13:53, Matti Karnaattu wrote: > >Many a naïve person believe you can "add" security as an afterthought > >but I'm not aware of this approach ever truly succeeding. > > I think that OpenBSD has done decent job. Decades ago that old unix > code, originally did not quite exactly been EAL7. 1. OpenBSD is a great example of the difference that having security as a primary design and development objective makes, unlike most other OSes (including all flavors of linux) which do "added" security. 2. Open*BSD* as the name implies, had no "decades old" Unix code and by now has had much of the _original_ BSD code replaced as well. 3. A quick look at [0] demonstrates your utter ignorance of EAL or the issues involved in having formal certification of OpenBSD specifically. To wit: a) No operating system is certified to EAL7; b) Highest level certification achieved by any Unix-like OS is EAL4; c) Minimum reported timeframe to achieve EAL4 is 9 months (to as long as two years) at which point the released OBSD version is guaranteed to have changed, and the code being certified is about to or possibly already no longer supported; d) EAL certification requires a specific Target of Evaluation (e.g. it is well known that Windows NT achieved EAL4 but only without networking) whereas OpenBSD is a general purpose open-source OS that anyone is free to use and *modify* any way they please. 4. It's probably high time to let this utterly degenerated thread die.. [0] https://en.wikipedia.org/wiki/Evaluation_Assurance_Level
Re: openbsdstore: enable javascript and buy something or gtfo
>Many a naïve person believe you can "add" security as an afterthought >but I'm not aware of this approach ever truly succeeding. I think that OpenBSD has done decent job. Decades ago that old unix code, originally did not quite exactly been EAL7.
Re: openbsdstore: enable javascript and buy something or gtfo
Hello, This is for the OP: dude, you are free to do anything, order or cancel or whatever you want. But please contact the SITE MANTAINER about your problems, do not annoy the list with your obsession(s). You can taste the toillet paper if you don't TRUST it, but please direct your inquires to the proper destinations. And for you, please see that OpenBSD is not a solution for every damn problem in this world. It may be, but now as you think to. Bye.
Re: openbsdstore: enable javascript and buy something or gtfo
> | The OpenBSD Store > > | If you have JavaScript disabled you will not be able to order from > | this site... ludovic coues asked | I'm curious, how did you get this message ? (running 5.5-stable amd64) lynx https://www.openbsdstore.com or lynx http://www.openbsd.org --> Buy CDs/Shirts/Posters --> the OpenBSD Store -- -- "Jonathan Thornburg [remove -animal to reply]" Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA "There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." -- George Orwell, "1984"
Re: openbsdstore: enable javascript and buy something or gtfo
On Sat, Oct 04, 2014 at 01:11:06AM +0300, Matti Karnaattu wrote: > > So you are saying that soon everything will be force fed to you and > > you will be ok with it? > > There are two things which irritates me in computing: > > 1. Need of security updates > 2. Two pieces of technology which are not compatible with each other. > > I'm GLAD that finally we have Javascript. At last, we have language and > platform that WORKS universally. No more dozen proprietary > (or open source), incompatible platforms. Once we have C-language that > can be compiled almost anywhere, with minor modifications as long as it > was command line software. > > Now we have Javascript that runs in browser, almost everywhere, without > modifications and do almost everything. > > It is simply wonderful. Best thing after invetion of WWW. I just changed a couple of security (ha!) settings in my google account and disabled access by "less secure apps". Then I tried to read my email using mutt. It failed and I got a nice email from google informing me of the blocked sign-in attempt and saying: "You can switch to an app made by Google such as Gmail to access your account (recommended) or change your settings at http://... so that your account is no longer protected by modern security standards." Please, *do* tell me more about your "simply wonderful" java-scripted browser-dependent cloud-based memory-hogging broadband-needing SAAS world, it sounds like such fun! You are on a mailing list of a heavily security-oriented OS (and community), proselytising about a computing model based on blindly downloading source code that will run locally (and doing this every time you want to use an "application"). Good luck.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On 4 Oct 2014 at 1:41, Matti Karnaattu wrote: ... > I don't think that is pragmatic to expect people to use computers > without applications. Or expect users of some software doesn't want to > use applications. > why not be the ultimate pragmatist you preach and go run Windows? (Isn't that what "everybody" runs and the only platform "all" software developers support? and the best part -- you won't be spamming OpenBSD mailing lists anymore ;-)
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
>and navigation of a site should not require javascript as >per w3c guidelines. The thing is that web is more than "web sites". It is also full of applications and these are totally mixed. >However considering OpenBSD users are security savvy and should >understand the potential risks of random sites running javascript I'm sure that probably everyone here understand these risks, but in order to be security savvy doesn't rule out that you can also be pragmatic. I don't think that is pragmatic to expect people to use computers without applications. Or expect users of some software doesn't want to use applications.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014 13:26:11 -0400 (EDT) david...@ling.ohio-state.edu wrote: > > > > Keeping Javascript disabled is like disabling programmability from > > shell. What is the idea? > > You're making a joke, maybe? > > *I* choose what programs my shell executes. But when I visit a > webpage on the internet with javascript enabled, someone *else* > chooses what programs are executed. > > So I don't enable javascript unless there's a good reason. And, for > my purposes, there almost never is a good reason. True and you wouldn't allow visitors to inject shell into your webserver and navigation of a site should not require javascript as per w3c guidelines. However considering OpenBSD users are security savvy and should understand the potential risks of random sites running javascript and it may be that the cheapest or current pay system available required javascript then it is probably more useful to ask paypal why on earth they reduced the potential security of their users for a slightly nicer look or investigate and suggest an alternative. OTOH I am told but correct me if I am wrong that in Germany they use bank transfers rather than credit cards and the banks I use no longer require javascript so perhaps that would be a better and more secure system all round, assuming they have a good method to verify the account numbers.
Re: openbsdstore: enable javascript and buy something or gtfo
> So you are saying that soon everything will be force fed to you and > you will be ok with it? There are two things which irritates me in computing: 1. Need of security updates 2. Two pieces of technology which are not compatible with each other. I'm GLAD that finally we have Javascript. At last, we have language and platform that WORKS universally. No more dozen proprietary (or open source), incompatible platforms. Once we have C-language that can be compiled almost anywhere, with minor modifications as long as it was command line software. Now we have Javascript that runs in browser, almost everywhere, without modifications and do almost everything. It is simply wonderful. Best thing after invetion of WWW. > Just because something is the standard, doesn't make it good. Heh, very true! What you expect?! It is typical that inferior solutions wins. See: http://en.wikipedia.org/wiki/Worse_is_better C and Unix is same thing. Or how about C++? There was Ada back then too. Sadly, world is not ideal. Have to accept some crap too to get better. Yes, I think Javascript is horrible language but after industry mutually accepted it, it become very useful.
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, Oct 3, 2014 at 12:20 PM, J Sisson wrote: > If the javascript contains an XMLHTTPRequest object, it can call out > to a different server (than the one you are visiting) without your > explicit knowledge, download content, and do basically whatever the > user the browser is running as can do, barring browser sandboxing, Also, Chromium and Firefox don't implement any OS-level sandboxing on OpenBSD. If anyone's interested in helping to fix that, see http://crbug.com/378813.
Re: openbsdstore: enable javascript and buy something or gtfo
On 03-10-2014 17:48, Matti Karnaattu wrote: > Unfortunately, we are living world where almost all applications are > nowadays writen with Javascript or compiled to Javascript. And it is > matter of time when rest of the issues are solved which prevents it > using ~everywhere to reduce server load. So you are saying that soon everything will be force fed to you and you will be ok with it? Just because something is the standard, doesn't make it good. Take a look at windows, for instance. Javascript can do too much damage, and it's pushed down your throat, you don't have a say on it. 99% of the javascript out there are benign (if you call adserving, benign). But the 1% that is not, is worrisome enough for me to no trust them blindly. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: openbsdstore: enable javascript and buy something or gtfo
On 3 Oct 2014 at 23:48, Matti Karnaattu wrote: ... > >etc...and that's not the only way javascript can be used maliciously > > These are called security holes. > > >There is good reason not to explicitly trust javascript or any other > >browser plugin that allow the remote site to execute code on your > >machine. > > Unfortunately, we are living world where almost all applications are > nowadays writen with Javascript or compiled to Javascript. And it is > matter of time when rest of the issues are solved which prevents it > using ~everywhere to reduce server load. Many a naïve person believe you can "add" security as an afterthought but I'm not aware of this approach ever truly succeeding. > For that reason, it is not beneficial to avoid Javascript. Instead it > useful to think how it can be run securely. The only possible way to run it securely is to run it very very sparingly, and *only* when you believe that you are working with reasonable input. (You wouldn't go into a minefield armed only with a blindfold in order to "think how to do it safely", would you?) > Javascript is todays C. Fruits and vegetables. C is a fairly low-level *language* and the quality of the resulting application is entirely dependant on the programmer. Browser Javascript is as you yourself pointed out a *platform* i.e. it IS a complete application designed and built by people that do not think to close the barn until after the cows are gone (and probably consider any real lock to be too cumbersome).
Re: openbsdstore: enable javascript and buy something or gtfo
>If the javascript contains an XMLHTTPRequest object, it can call out >to a different server (than the one you are visiting) without your >explicit knowledge, download content, and do basically whatever the >user the browser is running as can do, I'm aware. This object is in practice transformed browser to application platform. >barring browser sandboxing, If it is leaking, yes. >etc...and that's not the only way javascript can be used maliciously These are called security holes. >There is good reason not to explicitly trust javascript or any other >browser plugin that allow the remote site to execute code on your >machine. Unfortunately, we are living world where almost all applications are nowadays writen with Javascript or compiled to Javascript. And it is matter of time when rest of the issues are solved which prevents it using ~everywhere to reduce server load. For that reason, it is not beneficial to avoid Javascript. Instead it useful to think how it can be run securely. Javascript is todays C.
Re: openbsdstore: enable javascript and buy something or gtfo
> Here it is for your convenience: > > If you wish to contact us by phone, please call +44 (0) 115 986 > 8786, Monday to Friday 10am-2:30pm - Linda Bramley > > Email: ord...@openbsdstore.com > Address: > OpenBSD Store > Zednax Limited > 241 Wellington Road South > Stockport > SK2 6NG > Thanks Aaron, I'm on the same boat as the OP. I was thinking about downloading the software and make a donation (hey, even PayPal works without JS !) but not being able to get the artwork would have been a shame. Denis
Re: openbsdstore: enable javascript and buy something or gtfo
No, the one lacking understanding is you -- the fact that 99.9% of the Internet users are clueless (and even worse, *lax*) about security, probably never heard of OpenBSD and most likely will never use it because it interferes with their daily fill of spam and malware is totally irrelevant for this particular community that, thankfully, has always been willing to do things *right* rather than *easy*. On 3 Oct 2014 at 22:01, Matti Karnaattu wrote: > >I can't know what interest openbsdeurope has in requiring users to > >enable JS to obtain any information from their website. > > Probably 999 users in thousand doesn't want to make web crippled and > doesn't even think that standard JS is any special requirement. > > > *I* choose what programs my shell executes. But when I visit a > > webpage on the internet with javascript enabled, someone *else* > > chooses what programs are executed. > > No, you choosed that web page to visit. > > I think that you don't probably understand that web is nowadays > by default, software platform. Web pages are applications. > > You can make your life easier by enabling Javascript. > > Soon it is probably nearly impossible to do anything useful with web > without Javascript. It is defacto and dejure standard language for > portable applications.
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, Oct 3, 2014 at 12:01 PM, Matti Karnaattu wrote: > No, you choosed that web page to visit. http://www.w3schools.com/xml/xml_http.asp If the javascript contains an XMLHTTPRequest object, it can call out to a different server (than the one you are visiting) without your explicit knowledge, download content, and do basically whatever the user the browser is running as can do, barring browser sandboxing, etc...and that's not the only way javascript can be used maliciously, as has been pointed out by others. There is good reason not to explicitly trust javascript or any other browser plugin that allow the remote site to execute code on your machine. Granted, it doesn't necessarily take javascript: http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
Re: openbsdstore: enable javascript and buy something or gtfo
On 03-10-2014 16:01, Matti Karnaattu wrote: > Soon it is probably nearly impossible to do anything useful with web > without Javascript. It is defacto and dejure standard language for > portable applications. I believe the OP could have done his research a little better, there are other ways of finding contact information, even when the site refuses to give any information unless javascript is enabled. But, I too only enable javascript on the sites only when I feel the need to do so. Javascript can be, and has been, used to do all sort of nasty stuff. And, since more and more things are moving to the web, it's a big target. Try using noscript and you'll see that some websites bring along thirdy-party scripts that themselves bring along other scripts. It's a nightmare. You can't possibly trust all of them. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: openbsdstore: enable javascript and buy something or gtfo
>I can't know what interest openbsdeurope has in requiring users to >enable JS to obtain any information from their website. Probably 999 users in thousand doesn't want to make web crippled and doesn't even think that standard JS is any special requirement. > *I* choose what programs my shell executes. But when I visit a > webpage on the internet with javascript enabled, someone *else* > chooses what programs are executed. No, you choosed that web page to visit. I think that you don't probably understand that web is nowadays by default, software platform. Web pages are applications. You can make your life easier by enabling Javascript. Soon it is probably nearly impossible to do anything useful with web without Javascript. It is defacto and dejure standard language for portable applications.
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014, Matti Karnaattu wrote: Why should I enable javascript to obtain basic information about a website? Why do not keep Javascript all time enabled? Keeping Javascript disabled is like disabling programmability from shell. What is the idea? You're making a joke, maybe? *I* choose what programs my shell executes. But when I visit a webpage on the internet with javascript enabled, someone *else* chooses what programs are executed. So I don't enable javascript unless there's a good reason. And, for my purposes, there almost never is a good reason. -wes -- "It's a universal symbol, a man and a woman together. It's a restroom." --- some guy sitting next to me on an airplane
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014, david...@ling.ohio-state.edu wrote: On Fri, 3 Oct 2014, Theo de Raadt wrote: But instead you brought your complaint to misc. Indeed. You have an agenda. Sure do. I had reason to distrust the website, as I've explained. But I have no reason to distrust this listserv. I'll elaborate a little, in the interest of clarity, and then leave the thread. I can't know what interest openbsdeurope has in requiring users to enable JS to obtain any information from their website. But it occurred to me that such an interest *could* conceivably conflict with the interests of the openbsd project, and perhaps some of its users. So I shared what I had noticed, with the project and its users here. In good faith. Take care. -wes
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, Oct 3, 2014 at 9:53 AM, ludovic coues wrote: > 2014-10-03 16:09 GMT+02:00 : >> In my browser of choice, configured sensibly, this is all that can be >> seen at openbsdstore.com and openbsdeurope.com: >> >> | The OpenBSD Store >> >> | If you have JavaScript disabled you will not be able to order from >> | this site... >> > > I'm curious, how did you get this message ? > > -- > > Cordialement, Coues Ludovic > +336 148 743 42 > $ curl openbsdstore.com http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> http://www.w3.org/1999/xhtml";> The OpenBSD Store If you have JavaScript disabled you will not be able to order from this site...
Re: openbsdstore: enable javascript and buy something or gtfo
>Why should I enable javascript to obtain basic information about a >website? Why do not keep Javascript all time enabled? Keeping Javascript disabled is like disabling programmability from shell. What is the idea?
Re: openbsdstore: enable javascript and buy something or gtfo
2014-10-03 16:09 GMT+02:00 : > In my browser of choice, configured sensibly, this is all that can be > seen at openbsdstore.com and openbsdeurope.com: > > | The OpenBSD Store > > | If you have JavaScript disabled you will not be able to order from > | this site... > I'm curious, how did you get this message ? -- Cordialement, Coues Ludovic +336 148 743 42
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, Oct 3, 2014 at 10:48 AM, wrote: > On Fri, 3 Oct 2014, Theo de Raadt wrote: > >>> Who said anything about an order page? >>> >>> Who said anything about final decisions? The text provided gave me no >>> information upon which to base any decision of that kind. >>> >>> As I made perfectly clear in my post, the accessible content on the >>> website is a single, elided sentence. >>> >>> Why should I enable javascript to obtain basic information about a >>> website? >>> >>> Really, it's quite an achievement, seeing as even Facebook pages >>> aren't completely void of content when viewed without javascript. >> >> >> You know who to mail, to help get that improved. > > > No, I actually don't. See my first post. I could guess, but I didn't > feel like guessing. To be fair - you probably couldn't see the contact info with JS disabled. Here it is for your convenience: If you wish to contact us by phone, please call +44 (0) 115 986 8786, Monday to Friday 10am-2:30pm - Linda Bramley Email: ord...@openbsdstore.com Address: OpenBSD Store Zednax Limited 241 Wellington Road South Stockport SK2 6NG OpenBSD Store is a trading name of Zednax Limited. Zednax Limited is registered in England and Wales, Company no. 05321754. Registered address: Meadow House, Meadow Lane, Nottingham, NG2 3HS. Zednax Limited is VAT registered, VAT registration no. GB 855 4468 92. Also this is from openbsd.org: Pre-orders for the upcoming OpenBSD 5.6 release are enabled at our new order site -- openbsdstore.com operated by Zednax Limited from the UK. > >> But instead you brought your complaint to misc. > > > Indeed. > >> You have an agenda. > > > Sure do. I had reason to distrust the website, as I've explained. > > But I have no reason to distrust this listserv. > > -wes
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014, Theo de Raadt wrote: Who said anything about an order page? Who said anything about final decisions? The text provided gave me no information upon which to base any decision of that kind. As I made perfectly clear in my post, the accessible content on the website is a single, elided sentence. Why should I enable javascript to obtain basic information about a website? Really, it's quite an achievement, seeing as even Facebook pages aren't completely void of content when viewed without javascript. You know who to mail, to help get that improved. No, I actually don't. See my first post. I could guess, but I didn't feel like guessing. But instead you brought your complaint to misc. Indeed. You have an agenda. Sure do. I had reason to distrust the website, as I've explained. But I have no reason to distrust this listserv. -wes
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014, Theo de Raadt wrote: So easy to be critical. Sure. And some criticism happens to be useful. Some say it's even more useful than wagon-circling.
Re: openbsdstore: enable javascript and buy something or gtfo
> > 2014-10-03 16:09 GMT+02:00 : > >> Strangely enough, this doesn't incline me to enable javascript. > > > > Why? > > > > Don't you trust the store? > > Heh, literally blind trust, eh? > > What store? You call it a store. And I did expect it to be a store > of some kind, since openbsd.org/orders.html links to it as the sole > source for CDs. > > But the failure to provide minimal contact info, not to mention any > descriptive content, doesn't inspire confidence. > > Whoever is responsible for it, if they can't be troubled to put up an > accessible website, then it really doesn't matter whether I employ > Hanlon's razor or not. Whether this is a case of malice or > incompetence, my response is the same. So easy to be critical.
Re: openbsdstore: enable javascript and buy something or gtfo
> Who said anything about an order page? > > Who said anything about final decisions? The text provided gave me no > information upon which to base any decision of that kind. > > As I made perfectly clear in my post, the accessible content on the > website is a single, elided sentence. > > Why should I enable javascript to obtain basic information about a > website? > > Really, it's quite an achievement, seeing as even Facebook pages > aren't completely void of content when viewed without javascript. You know who to mail, to help get that improved. But instead you brought your complaint to misc. You have an agenda.
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014, Bryan Steele wrote: On Fri, Oct 03, 2014 at 10:09:36AM -0400, david...@ling.ohio-state.edu wrote: In my browser of choice, configured sensibly, this is all that can be seen at openbsdstore.com and openbsdeurope.com: | The OpenBSD Store | If you have JavaScript disabled you will not be able to order from | this site... And yes, it literally ends with an ellipsis. Strangely enough, this doesn't incline me to enable javascript. -wes So, you visit an order page likely content on providing your billing information and shipping address, but it's the use of Javascript that sways your final decision to order? Who said anything about an order page? Who said anything about final decisions? The text provided gave me no information upon which to base any decision of that kind. As I made perfectly clear in my post, the accessible content on the website is a single, elided sentence. Why should I enable javascript to obtain basic information about a website? Really, it's quite an achievement, seeing as even Facebook pages aren't completely void of content when viewed without javascript. -wes
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, 3 Oct 2014, Martin Schröder wrote: > 2014-10-03 16:09 GMT+02:00 : >> Strangely enough, this doesn't incline me to enable javascript. > > Why? > > Don't you trust the store? Heh, literally blind trust, eh? What store? You call it a store. And I did expect it to be a store of some kind, since openbsd.org/orders.html links to it as the sole source for CDs. But the failure to provide minimal contact info, not to mention any descriptive content, doesn't inspire confidence. Whoever is responsible for it, if they can't be troubled to put up an accessible website, then it really doesn't matter whether I employ Hanlon's razor or not. Whether this is a case of malice or incompetence, my response is the same. -wes
Re: openbsdstore: enable javascript and buy something or gtfo
He didn't say it changed his decision to order. It is a rather terse and unhelpful message, though. It could at least mention the option of ordering via email. Tim.
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, Oct 3, 2014 at 10:25 AM, Bryan Steele wrote: > So, you visit an order page likely content on providing your billing > information and shipping address, but it's the use of Javascript that > sways your final decision to order? I thought it was the ellipsis that did it :-) -- "Don't eat anything you've ever seen advertised on TV" - Michael Pollan, author of "In Defense of Food"
Re: openbsdstore: enable javascript and buy something or gtfo
2014-10-03 16:09 GMT+02:00 : > Strangely enough, this doesn't incline me to enable javascript. Why? Don't you trust the store?
Re: openbsdstore: enable javascript and buy something or gtfo
On Fri, Oct 03, 2014 at 10:09:36AM -0400, david...@ling.ohio-state.edu wrote: > In my browser of choice, configured sensibly, this is all that can be > seen at openbsdstore.com and openbsdeurope.com: > > | The OpenBSD Store > > | If you have JavaScript disabled you will not be able to order from > | this site... > > And yes, it literally ends with an ellipsis. > > Strangely enough, this doesn't incline me to enable javascript. > > -wes So, you visit an order page likely content on providing your billing information and shipping address, but it's the use of Javascript that sways your final decision to order? Right... -Bryan.
openbsdstore: enable javascript and buy something or gtfo
In my browser of choice, configured sensibly, this is all that can be seen at openbsdstore.com and openbsdeurope.com: | The OpenBSD Store | If you have JavaScript disabled you will not be able to order from | this site... And yes, it literally ends with an ellipsis. Strangely enough, this doesn't incline me to enable javascript. -wes