The Security Problems with Serving Up Scripts & Mobil Code

>>Furthermore, you (well, Sidd, anyway...) claim that "most people will not
>>inspect the code that their browser executes or if they do, they dont
>>understand it so they are handing over control of their machine to any body
>>on the net whose website they visit"
>>First, I disagree that users today are quite that ignorant of the internet's
>>ability to affect a machine.  The average user is at the least wary of
>>viruses and the like, and will take precautions against them (such as
>>disabling javascript in their browser...)

i would say that this is not true, the average user uses the 
computer as given to hardware and all vulnerabilties
included. i'm going by my cusotmer base, may of whom have thriving
internet portion of their businesses, and repeatedly claim
computer ignorance.

>>I argue users are able to care of themselves after almost 8 years of
>>commercial internet.  

they tend to hire us to rescue em every time something goes
mildly or wildly awry. they cannot for the most part,
they are busy concentrating on their given profession.

>>I also believe instilling regulations like the ones
>>you ask us too would be like reinstating the law where a man must walk 30
>>feet in front of a vehicle with an oil lamp so people will know you are
>>Furthermore, we in the internet industry are now a customer driven society.
>>This wasn't true when you first made these areguments.  Users expect the
>>kind of "flash and dash" they get when we use current technologies.  They
>>pay out the rump for cable modems so they can get napster or download videos
>>from the net.  They choose the flash version over the html and deal with the
>>longer download time because they are in the mood to be entertained.  All
>>without inspecting the data packages for hidden tricks and viruses.

it starts to get into a financial and legal issues. flash and other fnacy toys
do little for people's bottom lines. and when i asked my customers
"are you willing to be liable for crashing people's computers?"
they usually say a resounding, "NO".

>>What matters in this equation?  That I, as a content provider, get my point
>>across because I used a technology which allowed me to pass my information
>>to my customer in a way he or she wants to see it?  Or that make an effort
>>to police police my customer's web use for them, so they'll go off to
>>another web site to see something more interesting.

nothing is as interesting as being able to easiyl contact someone about 
the product or service your looking for.

>>As much as I hate to admit it, the large majority of web users (and, I
>>content almost all of the users the DON is interested in) are not the
>>educated university graduate students looking for information like in the
>>mid ninties, but rather the "low attention span" majority of our national
>>population for which commercial makers have decided can't watch a still shot
>>in a commercial for more than four seconds without getting bored.

this is true, but i would venture to say that nearly every user on the 
internet has been thru our servers for some reason, and the comments
that we do get are generally postive and they are thankful for
an easy to use resource.

>>Another comment Sidd made was: "i have no wish to run my code except in an
>>environment that i control ..."
>>Fine.  While this would be more protective of your users, I agree this may
>>open up issues for you security wise on your server.  I argue, however, that
>>if you set up your server correctly, there would be no problems.
>>It is up to you to know how to set up your firewalls correctly.  It is up to
>>you to get a security certificate and a secure socet layer to protect
>>sensitive information.  It is up to you to only place items in the public
>>domain that need to be in the public domain.  It is up to you to know enough
>>about the language you are coding in to eliminate areas of security risk.

again, this is where we are hired....

>>I think you would be hard pressed to actually tell me a security risk I
>>would have as a result of utilizing a server side scripting language on my
>>server.  Especially those like ASP where users can't even see the code
>>(providing you remove anonymous FTP from the server.)  I think you would be
>>even harder pressed to show me a security concern I would have by using a
>>client side scripting language, so long as you use the language
>>I see you are against scripting languages (even though there is a much
>>larger demonstrated risk in holding a Perl CGI-Bin on you server... ), but I
>>still have not seen any specific examples why.  Don't hold back on me, get
>>technical.  I am MCSE, MCSD and Cisco certified.  I went through three and a
>>half years of computer engineering and I have been designing content for the
>>internet since 1989.  I think I can handle it.  Sidd said it best. "there
>>are other reasons...but these will suffice ..."
>>Maybe to describe why you won't allow the codes to be placed on your server,
>>but certainly not to get me to join the cause... and certainly not enough to
>>get the SecNav webmaster to change his mind and order a total rewrite of
>>even his own webserver, much less than the 560 some odd others he has
>>administrative control over.

you got me here, except that we dont regrad microsoft so highly....

>>Much of what I said above applies here as well.  Again, I can not fault you
>>for writing this abstract in 1994,  I might have even agreed with you then.
>>I still claim that most of your concerns do not apply to people who know
>>their coding language and are willing to ensure they act in a moral way.

agreed, these are teh people we would like to work with
those like Net Neilsen have already said they cant work with us
in an ethical way.....

>>For instance, in your cache_attack article
>>( you
>>blame the ability of javascript for the code.  The true culprit in this case
>>is not the language, it is the way it is used.  "the exploit allows an
>>unethical Web Site", not an ethical one.  No more so than an onloaded gun
>>offers a threat to a crowded room.  Someone must load that gun and fire it,
>>wether accidentally or intentionally, to harm someone.

we didnt write the article.....

>>All that said...  answer me this.
>>I currently administrate 13 DOD webservers as well as oversee or consult on
>>the administration of 232 commercial web servers (my contracts as of Jan
>>12... my managers should have another report to me on the 5th of next
>>I try to design all my websites to offer as much flex- and useability as
>>possible to the widest array of users possible.  We use asp as a rule, and
>>use the scripts to determine what abilities our clients have and offer
>>webpages tailored to that client.  In other words, users who have java
>>disabled don't get any java on the page.  (mostly because alternative
>>browsers are often not java capable, such as one used by the blind ...)

this is not your place to decide, is it? 
isnt that the moral dilemma, your pushing on em.....

(hey guys, this thread is awesome)


Back To The Study