[LINK] Study shows pop-up warnings are ineffective

Craig Sanders cas at taz.net.au
Wed Oct 1 10:52:51 EST 2008


On Wed, Oct 01, 2008 at 09:39:20AM +1000, Gordon Keith wrote:
> But I now realise that javascript code doesn't just display things. It
> can collect and report back data to the server without user
> interaction. That is indeed a qualitative difference.

it's executable code, it can do pretty much whatever the programmer
wants it to.


i always used to think, even when i first read them back in the 80s,
that the dangers in William Gibson's Cyberspace and Black ICE etc
from Neuromancer and other novels were a silly idea - after all, who'd
be stupid enough to actually run software (or use hardware without
limiters) that could fry their brain or do other damage to them?  Data
is just data, it doesn't *DO* anything, it's passive. it's not a
program.

now i realise that i was hopelessly naive. almost everyone would. it
would only be "diehard" freaks like myself who would think that there
was anything wrong with blindly trusting unknown code written by unknown
entities with unknown motives for unknown purposes.


> It's not just the sandbox I am trusting to protect my computer, I now
> have to trust an unknown server to protect my data. Very different
> things.

yep.

and, as mentioned, you also have to trust the javascript. or, worse, on
Windows & IE you have to trust Active X which is even more dangerous
than js.

there's also the fact that the more people switch to web 2.0 /
cloud-computing / etc type applications, the bigger the "sandbox" will
be - if all your computing and data processing is done inside the
sandbox (i.e. if your primary computing environment is just a virtual
machine running inside javascript or whatever) then it's effectively
non-existant.


craig

-- 
craig sanders <cas at taz.net.au>


More information about the Link mailing list