Re: JavaScript is only a tool

[Lorenzo L. Ancora]

> Seems I have never used general purpose computers actually.

"General purpose computer: A computer designed to perform, or that is 
capable of performing, in a reasonably efficient manner, the functions 
required by both scientific and business applications. Note: A general 
purpose computer is often understood to be a large system, capable of 
supporting remote terminal operations, but it may also be a smaller 
computer, e.g., a desktop workstation." - quoted from Institute for 
Telecommunication Sciences (ITS), supervisioned by the National 
Telecommunications and Information Administration (NTIA)

...so your desktop is a general purpose computer and you are using it 
now. Never doubt that! :-)

>  When I
> install naked FreeBSD, hardly I can even read PDFs! But I tend to extend
> its functionality. I install software for viewing PDFs. Vim for better
> text editing. Something for image viewing and video files watching.
> But... well, I do not extend its functionality for running arbitrary
> remote code, not installing firefox/chromium. I do not want my computer
> to do general things -- only those I want to. And my computer even can
> not process/view Word documents. Anyway I like that.

This is your personal decision, because evidently you have a very simple 
lifestyle that exempts you of many needs that the common person must 
satisfy. You certainly have my respect (as I respect simplicity and 
uniqueness), but unfortunately this is irrelevant because the rest of 
the world does not observe you, does not know you exist and, foremost, 
needs JavaScript for everyday, fundamental activities. Hence, JavaScript 
will still remain in use on 99% of desktop and mobile computers for the 
next decade or more.

> Hardly a many-million-LOC software (modern browsers) can be ever
> considered anyhow, but secure. They are much larger than the whole
> operating system, with something like ZFS, full featured network daemons
> and LaTeX. For example Theo truly noted that people hardly can secure
> even "basic" virtualization technologies, so how can be talk seriously
> about sandboxing in much more bloated software?

Defensive programming, sandboxing, modularization, extensibility, unit 
testing, etc. are all techniques which enlarge the size of the code 
while increasing its security and web browsers employ them. In addition, 
the attack surface is not directly proportional to the number of LOC 
(lucky for us all), so comparing the security of two software by the 
size of their source code is totally inaccurate.

> Agreed. But are we talking about ecommerce, or about the fact, that
> someone starts to push me applications (JS scripts) instead of documents
> (the WWW, as it was born). Let's completely separate those worlds,
> having completely different tasks and nothing in common. JavaScript and
> all that beauty rendering things are only intended, useful and aimed for
> ecommerce.

The world wide web has evolved and end users are more demanding because 
they want multimedia content, real-time interactions, high accessibility 
and much more. End users expect the best.

JavaScript is required for chat, A/V streaming, live streaming, 
security, ecommerce, gaming, social networking, banking, and so on, plus 
it brings significant benefits in terms of security and accessibility in 
many other more traditional applications, especially if the site is 
large and needs faster ways to present information (end users rarely 
spend more than 30 seconds on a web page if their attention is not 
immediately captured).

> 1) I do not want to. Give me the WWW, the Web, distributed network of
> documents, not the network of applications. 2) You can have interactivity
> just by using something like VNC/telnet/X11 remote input/output sharing.

I hope this is a joke and you are not serious: nobody would grant you 
remote access to their computer just to show you a document or make a 
business offer. This has no sense whatsoever.

> I assume that Microsoft Windows is used because it is necessary too?
> If their needs and tasks are
> ecommercing and running Windows-compatible-only videogames, then yes, it
> is necessary for them. Web/WWW and web-browsers are about
> documents/knowledge sharing. I do not use Windows, have never own
> smartphones, do not use bank card -- how can I live without them if they
> are necessary? ZFS for me is necessary without any doubts. Do not put
> completely various tasks in one basket.

This looks like an attempt of Argumentum ad Passiones based on the words 
"Microsoft" and "Windows", a dialogue technique to bring an interlocutor 
into fallacy. Did you really think I wouldn't notice? :-)

For the rest, the overall paragraph is very unrealistic and could only 
be true if you lived outside of society or are a member of a very 
recluse community.

Please don't try to associate the fear/negative opinion towards 
"Microsoft Windows" (proprietary software solution) with JavaScript 
(standard programming language), because they are totally unrelated.
I wasn't born yesterday fella.

> Billions of users can not be wrong?

End users only act to satisfy their needs, there is no right or wrong.
The same goes for webmasters, they want more visitors and so improve 
their websites to attract and fidelize them.

> That is completely silly and lame thing to do: why update the system if
> everything already pretty good solved your task? Are any of more modern
> browsers version better? Maybe faster, more accessible?

Yes to all, and keeping the system up-to-date is a very important task.
All applications must be kept up-to-date at all times.

>  Solène's
> challenge demonstrates us that web is just becoming inaccessible more
> and more. Literally if I have not updated my browser for half a year:
> there will be web-sites (application-sites actually) that won't work at
> all (won't display anything).
> https://dataswamp.org/~solene/2021-07-07-old-computer-challenge.html
> https://dataswamp.org/~solene/2021-07-12-old-computer-challenge-day3.html
> https://dataswamp.org/~solene/2021-07-16-old-computer-challenge-day7.html

I'm sorry but I cannot comment on non-neutral and non-official sources 
of information. "dataswamp.org" is a non-authoritative source of 
information by itself, so there is nothing to confute.

It is common for outdated web browsers to fail to display the latest web 
pages correctly, just as an older operating system cannot run newer 
software and an older PDF reader cannot display newer documents 
correctly. Then it also depends on the ability of the involved 
webmasters (many are simply not interested in offering 
retro-compatibility because their visitors are very young) and on the 
quality of the tested web browser.

> And one of reasons to disable JavaScript: security. Untrusted
> unauthenticated code can compromise, because of known hardware attack
> vectors, everything. It is literally an opened backdoor.  This is not the 
> reason to leave widely open known backdoor.
> (and that is why I do not use "Linux" :-))

Please don't play on people's fear, it is not fair.

JavaScript runs in multiple sandboxes and is no more or less vulnerable 
than other web standards.

Obsolete computers are vulnerable and its your responsibility (or the 
responsibility of your sysadmin) to install the security patches when 
available. If you don't update your system, disabling JavaScript can 
only reduce the attack surface and the only solution is to disconnect it 
from the Internet. If you own vulnerable hardware, don't use it to 
browse the Internet in the first place.

Also, I'm glad you don't use Linux (in the sense that I like to see 
diversity), but from my point of view it's neither good nor bad. I am 
happy when my interlocutor is happy and I am sad when my interlocutor is 
sad: if the system you are using meets your expectations as mine are 
satisfied by Linux, I am happy for you.

> [...] https://www.gwern.net [...]

I'm sorry but I cannot comment on non-neutral and non-official sources 
of information. "gwern.net" is a non-authoritative source of information 
by itself, so there is nothing to confute.

> > Simple, the "bad guys" (black hat hackers/crackers/lamers/criminals/...)
> > would immediately search and find vulnerabilities elsewhere in the formats
>
> That thoughts are complete mess, in my opinion. "Finding bugs in format
> parsers/protocols" vs "arbitrary software execution"?

The "arbitrary software execution" you are referring to is more 
correctly stated as "managed script execution in unprivileged sandbox" 
and the bugs they may find in format and protocols would allow the real 
"arbitrary software execution", precisely a "unprivileged arbitrary 
execution of privileged software by code injection". So, the 
hypothetical global lack of support for JavaScript would only lead to 
more serious security vulnerabilities to be found, and in the meanwhile 
another (potentially more complex) scripting language is created to 
replace the economic/functional hole left by JavaScript.

> Banks could be fully satisfied with TLS/IPsec
> secured ordinary HTML forms, BBS/telnet/VNC/whatever remote sessions.
> Neither banks, nor governments need to run arbitrary closed software on
> my computer.

By law, banks have to discern legitimate users' legitimate web browsers 
from clients trying to simulate a web browser; they must also carry out 
checks on a time basis by law, to avoid brute force attacks and 
complicate the potential thefts of credentials (and I'm sure also other 
horrible frauds). Banks are forced to use all possible means to secure 
their web portals.

> I am glad ecommerce will disappear, honestly. I loved FidoNet, where all
> commerce was consolidated only and only in specialized echoareas and you
> literally can be forbidden to access that network if you will advertise
> anything in other areas. 

Ecommerce will never disappear, it can only increase over time.
If someone told you that ecommerce will disappear, they obviously meant 
that they are moving to Antarctica, where the Internet connection is absent.

> So... if you do not control firmware of your hard drive, that hardly can
> influence/prohibit/control much of the things you do on computer, then
> you say "damn it! I am not in full control! well, okay, let everyone can
> do literally anything on my computer, I allow every Web-server to send
> me arbitrary code for execution".

The only solution is to keep the operating system, firmware and web 
browser up to date. Disabling JavaScript will only reduce the attack 
surface, if you firmware is vulnerable there will be tons of attack 
vectors outside the sandbox. Alternatively you can unplug the network 
cable (after what I've read, I am convinced that you always use a 
network cable).

> > What will happen, as has always happened, is that the systems will become
> > more and more complex and therefore they will run even more and more
> > software.
>
> Nope. When I moved from Makefiles to redo -- everything became more
> simple. When I moved to daemontools+ucspi-tcp, everything became more
> simple. When I moved to (for example, that did not happen) OpenBSD,
> everything became more simple. And more secure.

Writing of Makefiles, their syntax is horrible and needlessly complex, 
so literally anything is an improvement; for daemontools and OpenBSD I 
cannot comment because I lack context.

>  Experienced users tend
> to throw away enormous complex bloated desktop environments and use tily
> tiling window managers. Word -> LaTeX. And so on, and so on.

Those are just people who have a lot of free time and still a lot of 
experience to do.

Among the many people I met, those who made the most "scene" with their 
computers were also the most incompetent and arrogant, because the need 
to appear in a certain way slowed down their intellectual progress and 
worsened their character. Nowadays I consider "smart" those who can find 
the solution which is more fit for their work environment, so to allow 
effective collaboration in the workplace and to easily ensure the 
working environment does not negatively impact their force of will.
For example, I use the MATE Desktop Environment with great satisfaction 
and avoid like the pest anything that could make the life more complex 
to me in the early morning, to my family members or eventually to my 
coworkers.

As nature demonstrates everyday, potential and quality are prevalent in 
adaptable solutions.

> Well, it is okay to read some plaintext or HTML. I really believe that
> neither NSA, nor Russian FSB can create such documents, that will
> exploit some bug in my less/lynx/whatever.

...mmmmmhhhhh...

> > if you need strong online security, use a secure DNS which filters unsafe 
> > domains;
>
> Someone decides if *I* should visit exact domains? Nah, I do not think so.

You should think otherwise, because you can't know in advance if a 
domain is safe, as it can be compromised without you knowing. DNS 
blacklists are very useful and prevent the spread of malware.

If you have a family, you should really take into consideration using a 
secure DNS server, because preventing is better than curing. Using a 
safe DNS server, a good firewall and an up-to-date web browser is a 
better solution than disabling JavaScript on their personal computers 
allowing their online browsing to be miserable.

> > if you don't trust the author of a local program, don't make it executable.
>
> Exactly that is what I do! No trustworthy author will try to push his
> program for execution on my computer, like modern Web-sites tend to do
> all the time.

That's a pretty nasty phrase, because JavaScript programmers might be 
offended. In fact, the webmasters who use JavaScript (90%) are honest 
workers and professionals.
You're not advertising your group well with this way of expressing yourself.

> > It's uneconomical, because colorful, animated web pages help sell products,
>
> Agreed. That is why most people hate advertisements and tries hardly not
> to see those annoying animated web pages. I remind that beauty colorful
> products selling in completely irrelevant task/need for free software
> people, for people in need of sharing information, not selling the
> products. Modern Web browsers, JS, CSS: for selling products -- agreed.

Everyone hates advertisements, but they are necessary for everyone, even 
for those who distribute free software but do not intend to ask for 
donations, for example. Without ads, you wouldn't be able to download 
anything for free, because domains, servers and staff have a cost.

> > From the point of view of security then, since HTTP is stateless and the
> > telnet/ssh sessions are statefull
> Actually that is complete hypocrisy. Because all modern Web-browsers,
> HTTP/2 and HTTP/3 are very hardly try to *exactly* leave session
> long-lived as much as they can. Literally keeping TLS resumption tickets
> for days. telnet/ssh sessions in practice will last only when you work
> with the remote side. TCP can be stateless, but not the cookies and
> JS storages.
> Wrong word. I mean "fallacy".

This does not make the protocols stateful, they remain stateless.
Developers, in fact, have to respect the standard and the state must be 
kept with distinct means. In addition, webmasters and web server 
developer cannot base their commits on inconsistent - albeit 
standard-compliant - client software behavior.

So, in any possible scenario, your are "downgrading" your security. :-)

> > The only answer is: the world does what is simple and sells well. According
> > to commercial logic, an FTP server does not help sales, a professional
> > interactive web page does.
>
> That is true. Because FTP/WWW were not created in selling and money
> gathering in mind. They solve another tasks. Modern Web browsers solve
> another tasks: controlling the user's computer by pulling pushed
> applications on it, to sell, and earn the money.

I read an unmotivably strong way of expressing oneself and a very weak 
syntax. Are you really convinced of your words?

The vendors of "modern" (correctly called "up-to-date") web browsers are 
not conspiring against their users (or you), they are just aware that it 
all depends on the economic growth. One of the purposes of JavaScript 
(and of all software) is to make money, as people normally have to earn 
income to live and be useful to their community or to the human kind.

> > So if you ask me "Can we win against JavaScript and the entire world that
> > uses it?", my answer is "No pals, you can't."; if you ask me "Can we make
> > people aware of how JavaScript is implemented?" my answer is "Yes and you
> > should do it". 
>
> Can we win against ecommerce? Of course not! Impossible. Agreed.
> But I critiqued only the fact, that you think that ecommerce-related
> technologies are needed for completely unrelated tasks like WWW,
> distributed documents network. It is literally like saying that Unity
> (game engine, as far as I heard) is totally necessary! Maybe yes... for
> game designers. However I believe that one can quickly create very
> beautiful and interactive, VR-friendly "pages" for even more selling.
> You are very right with the subject "JavaScript is only a tool".
> It is just missing "for ecommerce" suffix.

There is nothing to win or to lose and ecommerce, while being one of the 
powerful driving forces behind its development, is only one of the many 
purposes of JavaScript. JavaScript is necessary and irreplaceable for 
great part of the websites, either by being a required dependency or by 
representing a huge improvement for the user experience.

Il 20/07/21 21:29, Sergey Matveev ha scritto:
> Seems I have never used general purpose computers actually. When I
> install naked FreeBSD, hardly I can even read PDFs! But I tend to extend
> its functionality. I install software for viewing PDFs. Vim for better
> text editing. Something for image viewing and video files watching.
> But... well, I do not extend its functionality for running arbitrary
> remote code, not installing firefox/chromium. I do not want my computer
> to do general things -- only those I want to. And my computer even can
> not process/view Word documents. Anyway I like that.

--
All messages from/to this account should be considered private.
Messages from/to newsletters should not be reshared.
TZ: Europe/Rome (Italy - CEST).

OpenPGP_signature
Description: OpenPGP digital signature