Ok this post is going to be a bit of a rant, but i do have a point to make as well and wanted to hear everyone else's opinions on the matter.

My main topic will be this blog post http://www.jgc.org/blog/2009/09/javascript-must-die.html which was featured in grc.com's latest SecurityNOW! podcast/radioshow (i usually stick to the PDFs for it).

I read through the radioshow where John Graham Cumming and the 2 from GRC were talking about how javascript's security is horrid and needs to be fixed now. John was the one with the idea and most of his talk was about how dynamic ad providers' in-line javascript is very dangerous because of the way that all javascript can access all other javascript in any web page, and there is currently no way to protect against it.

Well to me this just shows how truly incompetent these "security research" firms really are. John, the one that did the "thesis" on this problem, does not even refer to himself as an expert, and did not even seem to realize that javascript actually CANNOT access all other javascript in a page, unless the variables are defined globally outside of a function. It was another researcher who told him this. Yet he made a presentation at the Virus Bulletin Conference in Geneva, I guess it's a big deal.

Anyway, most of his talk about how you should use noscript in firefox or just disable javascript entirely sounds like the paranoid ramblings of a middle-aged IT office worker who knows little to nothing about security and is the type of person who would turn off their modem at night for fear that virii might infect them while their computer is turned off.

First i will look past the fact that many of his ideas are based on website admins' continued usage of dynamic ad providers and tracking websites, which are a bad idea in the first place, if you can't get enough traffic to actually sell adspace, putting in these providers' ads are not going to get you enough revenue to offset the security holes they open up.

He talks about how there is no way to track if the javascript has been modified at the other end. this is simply not true. If anyone who is running a website is using any sort of server-side scripting language (php, cgi, .net, asp) there is actually a very simple way of tracking and checking the javascript that is provided by these companies, you need only put a function AFTER the inline script tag that can simply do a quick message digest of the script to verify if it has been changed, and if it has, remove it from the HTML before it gets a chance to be run.

You could even go so far as to put the in-line script tag INSIDE a php function so that if the URL that holds the javascript does not return as OK, it is never even inserted.

The next point he wants to make is that perhaps we should put the links through an SSL session so that if the domain is modified or the code changed, an invalid certificate will pop-up, well that puts the security load on the end-user to do the checks, and even your average college IT graduate might not be able to tell the difference between a properly forged certificate and a good one, that's just not a good plan.

I usually hear people scream SSL/HTTPS as a fix-all for security only when they do not know what they are talking about. But instead of all that malarky, just do as above, as any site admin should be able to, and if not, then don't put in ads.

Then he goes on to talk about how all javascript can access other javascript. If you have ever read the javascript bible or i'm sure any intro to javascript, they will tell you that this is only true of the global variables that the DEVELOPER creates. So when you see these in-line site addon scripts that have the variables listed inside a <script> tag, those can be modified by an XSS attack very quickly and easily, but if they are put inside a function (which you can even do and still get the same functionality as you would otherwise) then they are no longer accessible by other functions (unless they are attacking your site directly and have studied your code)

personally i'll stick to reading, researching and learning on my own before i trust other researchers, i have to be honest i had high hopes for grc's security now, but after that reading and the fact that the two from the site didn't have a clue as to the other side of the argument, or the fact that most of John's "ideas" were just plain not true except in certain contexts, just confirms my belief that most security "researchers" are nothing more than pseudo-intellectual copy pasters in a search for fame.

Now my question for the darksiders is this......do you trust these "good guys" that seem to only be in the security industry for money and fame? or will you put your trust in yourselves, maybe learn a thing or two, and make up your own damn mind (to quote the oracle from matrix of course) before you worry about anything?



P.S. i just had a look at his presentation, which can be found on his blog post (i didn't take the time to look before i read the security now posting) and most of his exploit examples are first and foremost, not his work. second, the blame of these "javascript exploits" are not on the javascript security model or the designers of javascripts shoulders, but on the site developers shoulders:
1) Twitter should watch URLs,
2) myspace....well it's myspace.
3) If you are giving your <script> tag an ID, you deserve to have it modified. end of story.
4) A security hole in the implementation of a javascript engine is not the fault of the language of javascript, but that of the developers of the browser.
5) A security hole in a router is not the fault of javascript. and you can't fix javascript to fix that hole, someone will just craft a link to do the work. (bthomehub)
6) portscanning using javascript just shows ingenuity, not a lack of security, you can't make a language that is used on the internet NOT use the internet
7) DNS attacks (namely the wone kaminsky talked about) are not as prevalent or dangerous as most of these "researchers" think, and are not a problem with javascript, it would take 1000s of tries before you even poison a DNS to only hold on to it for a few minutes anyway, and if you do that, it would be far smarter for the attacker to direct the user to a crafty php/javascript page than to try and get them from a modified ad-script.

near the end he just got off topic and didn't even cover the real low-level security of javascript and it's problems, javascript was never meant to be server-side, it is a user level language, which is why it is secured at the user level and not at the server level, if you can't protect your server it is YOUR fault, not javascripts.

I think you are perfectly entitled to your rant,
however if you live in the US, your free speech
is not equal to everyone else's
if they have more money than you do....
they can hire stuffed shirts, who may no little
about security, but are competent at alarming the public.
it might not be fair but I tend to be very skeptical these days,
microsoft would really like java & javascript to go away
and for everone to jump through silverlight hoops....
microsoft doesn't even have to be directly involved
some of security is pointing out real or imagined dangers
in order to sell their services,
and we do live in a culture that keeps saying
trust the experts
(the ones who got us into the recession,
and all manner of other things)
but we live in a culture where if it gets repeated
often enough most people believe it must be true,
and where people take polls before making decisions
which almost always leads to leads technology
anyway, this is your rant,... and I agree with you
but am not surprised.

regards

8-D

.

Google also likes https for their SPDY project, so I guess encryption is considered some holy grail for lots of things

Sidenote: when I originally checked GRC.com for my torrentspeedguide, I found lots of references to how amateurish it was considered to be, on some Australian forum for networking pros.

encryption has it's uses and they are many, but this whole "javascript must die" venture that people are on is just riciulous, that's like saying PHP or python are dangerous because they are consitently used to write exploits, personally i think that's just a sign of their power, and if javascript is one of them, then that just shows how useful it is

i got a little confused adl, were you saying an AUS forum for networking pros said grc.com is amateurish? or they said your guide was?

They made fun of people who use GRC's ShieldsUp as a security test (which is what it's advertised as).

ah ok yes, i suppose i can't be too hard on them in particular as they aren't actually calling themselves a security research firm, but the man featured on the radio show was a joke, honestly it should be called bad grammar NOW! as through half of it i could not understand their english (granded john was from the UK, so that might have been part of it)

i just think if you are going to consider yourself a person enlightened to the idea and technologies of security, you should know what you are talking about before going public at conferences and radio shows speaking out about things they know nothing about

i don't want to make a blanket statement about all security researchers in this manner, but most of the hyped up media around security discoveries is just that, hype.

excellent post mazuki, and from someone who works in IT Security you get a major pat on the back for stating what a lot of us think, but are never heard.

Most of the so called experts couldnt punch their way out of a paper bag nowadays. There are some good people out there, but they are few and far between. There is a lot of hype and scaremongering in the IT Sec world and its there for one reason... MONEY!

If customers read all the hype, then they will buy that new product that protects them from X...

Its a sad state of affairs that it is like this, but i doubt it will ever change.

If you want some interesting reading concerning IT Sec Research, i would suggest Beautiful Security (i think TQW has it on here somewhere) very good book in my opinion, and shows that there are some people who are concerned how bad security really is.. and want to change it!


off my soap box now :)

Once again maz, excellent post!

Good article Mazuki

I understand the frustrations.

Many companies will hire/employ "so called experts" who have read the cover on the front and back of a book or coursework and will consider themselves 'learned'

A little knowledge is a dangerous thing

Most of these experts, are 'soundbite' specialists who always speak generically on the 'topic of the day (column inches) There are many many of these 'experts in most areas (Politics especially is riddled with them)

For me:

Question Everything

Do your own research

Trust not that which you are told until you can prove/disprove it

Formulate your own thesis (chances are very high it will be more accurate than any of these so called 'experts'

The way I see it is that these 'experts' know that most people are too lazy to question them or indeed anything, the delicious irony to this is your motto

"There seems to be an audience that demands everything be explained to them, that everything be easy. And I don't think that's doing us any good as a culture."

Couldn't say it better myself.

Research, Hard Work, Application

When you put in your own work then the experience you get is something that you never lose.

I love a good rant as you know, especially if it is deserved.

Good Rant Mazuki

cheers guys, and glad to hear your input as well grumbles :)

and i know not everyone has the time, passion or dedication that others do in this field, so it's hard for them to put in the man hours to research these things for themselves. This maskes it even more frustrating as people that might actually need the help, don't get it because there are these greedy people out there that are just promoting their product, as you can see in John's blog post, he posted about a site that offers "proper tagging" and 100% safe coding or API or something (didn't take the time to read into it at that point)

When really, as with all online coding, you need to follow the rules, in the php6 bible it states right at the beginning that you should NOT use the global arrays/variables when possible, and in php6 they have been deprecated (removed) because of the security liability. If someone wants to code safely, maybe they should do a bit of reading, instead of listening to what other people say about it.

I can't remember the term, but it's something about mob mentality, one person screams there's a bomb coming, 3 people believe it, and before you know it, all of Miami is running for their life while the 1 jokester/instigator sits back and enjoys the empty beach. Same concept here

Hey I like the feedback in this Topic. I've been around IT professionals all my life, and they obviously like to talk like they know everything. I think thats one of the major flaws of people who work in that industry. I've never had any professional training in the IT field, I simply got a computer when I was 4 years old. I learned the basic operations and I went for it.

It sounds to me like people just read a few books, pass a few exams, and then *poof* then Become an IT professional. I've actually worked Freelance for a School District and the IT people didn't even know half the stuff I knew, sure I may not know what an Infinite Loop is, but I know if you stick a key into a usb port you'll either get electricuted, or you shut down half the building's power.

I don't see what everyones problem is with Java these days, Java was awesome when the web first came out, and it still awesome today. Half of all our Electronics run Java. Silverlight, IMO is never gonna work out, its too slow and clunky, Try running silverlight in IE8, its horrible. I mean anything involving IE8 is horrible. The web would be much better though if we got rid of flash :D and Just had HTML & JAVA having Kinky sex all night long.

Hey but what do I know.. I only taught myself.

This thread has been dug up from the grave.

Nomsaiyan, Java is a different language.

This whole argument is based on, "Academic Propoganda."

Dr John Graham Cumming - yes he has a Doctorate in Computer Security. He is well known in IT academic circles. I see his work referenced regularly, although not so much in the last few years since he's playing CIO for Causata, whom seemingly have their finger in the pie since the GFC has spurred more need for human resources and semiotic business strategy. Causata is another spawn of Accel and they're looking for javascript developers for their latest software which is ironic and it's also rumoured there are sponsored Oxford AF's working on revolutionising JS libraries no doubt under Cumming's instruction. I do give the man credit, for he is a brilliant mathematician specialising in the theory of algorithms so it's only natural for him to audit programming languages although he's far from the top echelon in the industry. He is great at maths though so you know whatever :p

BTW: Being self taught is fine if you're going to work as help desk, web design, or network admin. Unfortunately today the minimum requirement is at least a masters for any higher level positions within IT unless you're a freak, but if you are a freak you'll work for yourself anyway because you won't have the social skills to work for someone else. :p

:D I am a freak