Richard "GNU" Stallman on "The JavaScript Trap"

General discussion about the NoScript extension for Firefox
Post Reply
User avatar
Giorgio Maone
Site Admin
Posts: 8957
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Richard "GNU" Stallman on "The JavaScript Trap"

Post by Giorgio Maone » Wed Mar 25, 2009 6:27 pm

He nods at NoScript, too.
What do you think?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by luntrus » Wed Mar 25, 2009 9:04 pm

Hi Giorgio Maone,

It is a complicated question. For incompatibility reasons he has a proper argument, and in the ideal situation where the code was set free for the user, the data still would not be. Do not forget the origin is computed from the document.

And as far as the code goes, has that stopped anyone reversing in the past?.
And what in the case where this code is being created "on the fly" dynamically generated and not by any open source code.
Can the user control the propriety application, according to what NoScript does on code, he or she can.

But the main question for the NoScript- community would be: "Is there a security risk if the user wants to replace the one code with the other". Or couldn't that be done? Anyway the user could discriminate between the good (open source), the evil (propriety) and the ugly (malicious, bad, and spaghetti), furthermore there are users that take a strict or a more lenient view to what to use.

Well Giorgio, you started some discussion in this thread, I am sure about that,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090324 Minefield/3.6a1pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Tom T. » Thu Mar 26, 2009 3:03 am

Most of the article was way over my head, but perhaps it helps that I can represent a closer-to-average user.

Finally, we need to change free browsers to support freedom for users of pages with Javascript. First of all, browsers should be able to tell the user about nontrivial non-free Javascript programs, rather than running them. Perhaps NoScript could be adapted to do this.

I must be missing something. Doesn't NS already tell the user about *all* JS that is running or attempting to run, or blocked?

Browser users also need a convenient facility to specify Javascript code to use instead of the Javascript in a certain page.

This guy lives on a strange planet where all Internet users are expert JS programmers. We can't even convince the average user to dump IE for Fx, and then we can't convince some of those to add NS. The idea that the majority of users will go around writing their own JS to substitute for what the page has is ludicrous.

Again, forgive me for what I don't understand. (You can try explaining it to me if you like). NS has already introduced script surrogates, so doesn't NS already take care of the problem? If not, how not?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Nan M » Thu Mar 26, 2009 5:15 am

Edit.
This isn't a place where nuances are worth the trouble.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Tom T. » Thu Mar 26, 2009 7:43 am

Nan M wrote:it would be very helpful to be given half a clue about which active content just might be ethical and usable

To whom? "ethical" and "usable" are both subjective judgments. What is ethical to you might not be to me, and vice versa. NS gives us the power to make those decisions for ourselves. I don't want anyone -- Capital, Labour, Government, the Pope, or anyone else -- deciding these things for me.

"Safe" and "Dangerous" are judgments I trust NS to make regarding XSS, clickjacking, etc., because I don't have the knowledge to make them.

As previous post mentioned, I still don't understand what exactly -- in a concrete example -- Stallman's ideas would give the non-JS-reading majority that NS doesn't already do for us. A clear hypothetical example would help.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Fatman
Posts: 7
Joined: Thu Mar 26, 2009 7:53 pm

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Fatman » Thu Mar 26, 2009 8:01 pm

IMHO, when it comes to javascript, the less, the better.

For me, the same is true for flash.

I am a regular peruser of ZDNET, and it looks a lot better once their advertising crap has been sent to /dev/null. Between No Script and Ad Blocker, when I go to that site, it is a lot less cluttered. :)

Still, however, I feel the final decision should be left up to the user.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3353
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by GµårÐïåñ » Thu Mar 26, 2009 8:17 pm

Nan M, I think you made great points, and
Tom T., I know where you are coming from also,

I am on the side of the world being full of ideas, perspectives and knowledge and it comes down to what works for each individual and that doesn't make either wrong or right, just different :twisted:

Fatman, I am all for pretty, extended function, this and that but not at the cost of sanity to easily and efficiently review information without being overwhelmingly cluttered, so I am all for NoScript and Adblock and RequestPolicy strategy to reducing clutter but you are right that its ultimately each person's decision how to approach it. :ugeek:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by luntrus » Fri Mar 27, 2009 3:55 pm

Hi GµårÐïåñ,

As this is partly a philosophical debate as Stallman is the GNU Philosopher pur sang, I think it is important to look where the spearhead innovation is found (very good directions where being shown by the developers of GoogleChrome and its more privacy-friendly counterpart SRWare's Iron, the virtual machine aspects of the browsers is the way to go, throw out the malware code together with shutting down the browser. Fx can be in some ways be considered as a Monster-truck that is in need of a development U-turn, but just goes on into a pre-planned direction without possibilities for correction.
I would say if Iron for instance was coming with extensions like ABP, NoScript, RequestPolicy, CSP etc. also a lot of security savvy browser users would have left for that browser. So one never knows where innovation in development is found and where propriety-ish tendencies are setting in. We have to be aware of these tendencies always.
Now my question with the new Google plans for deep packet inspection to offer a better way to satisfy their adSense revenue market is frightening, what can the average user do to be protected against this loss of privacy and freedom.
The solution can be as simple as adopting an apt hosts file, but this is also way over the heads of the average browser user. It reminds me of an old saying by an influential man, and I adopt it to this example: "If one human being looses online privacy it is considered a disaster, if millions tend to loose it it is just statistics". The protest is calmed by some trivial blinking success story, the others are satisfied by some rubber bot, the results are just plain "evil". Where can NoScript help us? I think it can in many respects here, as it already has me and others,

luntrus
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Browzar)

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3353
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by GµårÐïåñ » Fri Mar 27, 2009 7:07 pm

luntrus, thank you for that, I find the perspective refreshing. I agree that I would like to see solutions that are sandboxed in a way that will isolate and dump when done. As you stated that was the idea going into GoogleChrome (which I have used and although it works fine, I had several issues with it that bothered me, enough to uninstall it) and I'll be honest, not sure about SRWare's Iron, will look into that, but the virtualization idea has been kicked around for a while and although great in theory has some limitations that need to be addressed and overcome before being globally usable. In certain scenarios, I wouldn't touch it without it but in some scenarios, the overhead and performance totally kills the efficiency needed to make it globally effective. I am sure progress will be made and there will come a time that it will probably become standard practice. You are right in that if we don't try, if we don't allow for some faith in a proof of concept that it might miss something great, so being open to new ideas is always a requirement of advancement but that needs to be balanced against potential carelessness or over eagerness towards progress that ends up setting us back. :ugeek:

I have always found tracking, user profiling and data mining to cross a certain ethical and comfort line for me personally and I have always actively been against it, maybe because I am jaded due to what I know and have seen and have done or maybe simply that I find the concept overbearing and too intrusive, no way to know for sure other than the fact that I don't like it :shock: Ultimately, some degree of tracking will always be a part of our lives and more so each day when technology needs to keep up with the solutions that defeat it. In the case of Google, I can see your point about the potential horror of it and although I would love to believe that any company that tells me "we believe in do no evil" is trustworthy, I would still feel better if they didn't push each and every day to know more and gather more on me, just my feeling on the subject.

anyway, thank you for the giving me the opportunity to pour out a little preach and whine :P I just hope that I have not gone too far off topic and my apologies in advance if I have.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

jogo
Posts: 3
Joined: Tue May 05, 2009 1:44 am

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by jogo » Tue May 05, 2009 1:54 am

He nods at NoScript, too.

Can someone ask Stallman again please? I wonder what would his reply be based on the new evidence of pissed-off developers playing counter-strike with their code.
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10

User avatar
Giorgio Maone
Site Admin
Posts: 8957
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Giorgio Maone » Tue May 05, 2009 9:07 am

Well, the whole Stallman's point comes out corroborated by this incident IMHO.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

User avatar
Foam Head
Senior Member
Posts: 57
Joined: Sun May 03, 2009 5:35 pm

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Foam Head » Tue May 05, 2009 7:39 pm

Most of what Stallman proposes (IMHO) is either impractical (it's nigh folly to attempt on-the-fly replacement of "nontrivial non-free" JavaScript with an open/free alternative) or not particularly useful (adding @source and @license comments will be compressed out to reduce space). However, the article gave me one interesting thought that might be applicable to NoScript...

As Stallman mentions, JavaScript started out as a minor helper for page display, and although it can now be used for industrial sized functionality, it is often still used as such. For example, glancing at the source for the smilies in this forum's post editor, it's not overly complicated stuff. If we assume that all such trivial scripts are innocuous enough that they cannot directly harm the user, then NoScript could allow/disallow pages with only trivial scripts.

Obviously the big issue is the assumption that trivial scripts cannot directly harm the user. How NoScript identifies a trivial script would become highly important and, if NoScript became popular enough, could be specifically targeted by attackers. However, if the detection erred on the side of caution and was simple enough, it could work.

However, even if the "triviality" of a script could be easily and reliably determined, would there be enough web sites that just contain trivial scripts (if there's even one nontrivial script, you have to disable the entire page) to make this worthwhile? As most web sites push towards more and more complexity, it wouldn't make sense to program something that only works on a small percentage of all popular web sites.

So I don't know how appropriate or how viable this would be for NoScript, but the Stallman article did flicker this idea.
Cheers,
-Foam
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Lucas Malor » Wed Jan 19, 2011 10:20 am

The matter about free software is interesting, but it's not convenient to download the GPL every time a free script is loaded...

The other point is much more interesting: triviality. If a JS code contains nothing potentially harmful, why NoScript must not allow it by default? This will ease things for the end-user.

The problem is: if the JS code is not linked outside the document but it's inside the HTML code, can NoScript instruct Firefox to ignore only that piece of code?
Mozilla/5.0 (Windows NT 5.1; rv:2.0b10pre) Gecko/20110118 Firefox/4.0b10pre

User avatar
Giorgio Maone
Site Admin
Posts: 8957
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Giorgio Maone » Wed Jan 19, 2011 11:10 am

Lucas Malor wrote:The other point is much more interesting: triviality. If a JS code contains nothing potentially harmful, why NoScript must not allow it by default? This will ease things for the end-user.

Of course it would, but I'm afraid it's impossible.
You can't reliably tell whether a piece of code is innocuous without executing it, either in a VM/sandbox (if you're yourself a program, like NoScript) or in your mind, and even then you shouldn't be so self-confident.
Lucas Malor wrote:The problem is: if the JS code is not linked outside the document but it's inside the HTML code, can NoScript instruct Firefox to ignore only that piece of code?

This is a problem, but the minor one, see above.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: Richard "GNU" Stallman on "The JavaScript Trap"

Post by Lucas Malor » Wed Jan 19, 2011 1:38 pm

Giorgio Maone wrote:You can't reliably tell whether a piece of code is innocuous without executing it

You are right, but it could be a good compromise. NoScript could do this only for "reliable" sites (noscript.net/about)

EDIT:

Interesting site :)
Mozilla/5.0 (Windows NT 5.1; rv:2.0b10pre) Gecko/20110118 Firefox/4.0b10pre

Post Reply