On Wed, 2 Mar 2016 05:07 am, Chris Angelico wrote: > On Wed, Mar 2, 2016 at 3:44 AM, Steven D'Aprano <st...@pearwood.info> > wrote:
>> A better analogy is: >> >> When I add cocaine to my stew, the result is a appallingly bad for those >> who eat it. Do you have any idea how rough cocaine is on the human body >> and brain? My wife likes the analogy, being on cocaine is like pressing >> the accelerator of your car all the way to the floor, ALL THE TIME, >> regardless of whether you are moving forward or stopped at the lights. >> And yet, for some reason, people seem to like the cocaine-riddled stew, >> and often ask me to add more cocaine. >> >> People cannot get enough of Javascript, no matter what it does to the >> security and stability of their browser, no matter how many pop-ups it >> launches or how much spyware and malware it installs, or how many times >> it kills their browser. > > s/cocaine/sriracha/ and I would agree with you, because there are > places where JS can majorly enhance a web site, and it isn't going to > kill you if you use it correctly. If by "kill" you mean "compromise your system", then JS absolutely can kill. Running somebody else's code on your machine could have *any* consequence, such as installing spyware, a spam-bot, ransomware, a keylogger that results in your bank account being emptied, or (if the spyware is being run by people who consider you an enemy of the state) literal death via a midnight visit from the secret police or a Hellfire missile fired through your window. https://community.rapid7.com/community/metasploit/blog/2014/01/23/firefox-privileged-payloads http://er.educause.edu/blogs/2016/2/fast-forward-javascript-api-exploits http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/ https://www.vidder.com/resources/attacks/javascript-device-exploit.html https://www.usenix.org/legacy/event/woot08/tech/full_papers/daniel/daniel_html/ http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1487635#vtab-characteristics (The last one typos the malware as "Java" code, but if you read on you'll see they actually mean Javascript.) As a web developer, if you host ads, your viewers at the mercy of malware: https://en.wikipedia.org/wiki/Malvertising Most malicious advertising is still written in Flash/ActionScript (a variant of Javascript), but some use Javascript: http://www.pcworld.com/article/3039816/security/malvertising-campaigns-are-becoming-harder-to-detect.html -- Steven -- https://mail.python.org/mailman/listinfo/python-list
