Hacker News new | ask | show | jobs
by delllapssuck 5047 days ago
And today it's Javascript. Same problem. Running someone else's code without reading it first.

Why?

Because people want to see a "doodle" or some other silly graphic.

Truthfully, it's gotten worse: "Please enable Javascript." "You need to enable Javascript to use this website." (9 times out of 10, that's a lie.)

In the 1980's, it was telling people to run some ANSI codes through printf to see a blinking Christmas Tree.
1 comments
sciurus 5047 days ago
Your web browser is designed to sandbox and safely run code.

Your shell isn't.

(People are working on it though, see for example http://berrange.com/posts/2012/01/17/building-application-sa...)

link
delllapssuck 5047 days ago
I can "sandbox" code using the shell far easier than I can control what a "modern browser" can do.

Because I know the shell and my OS better than I know a "modern browser".

"People are working on it..."

C'mon, man. This sounds pathetic. You can learn to use the shell safely. How do you think sysadmins do their jobs?

Or you can pretend the shell is too difficult and something to be feared. The simple fact is _you_ control the shell. You don't expose it to the world (unless you're playing games with CGI or doing like the OP said: feeding it random bytes from the internet). You can read the code for a basic shell (e.g. rc, sh, dash). You can modify and compile it yourself. You can write your own. CS students routinely write their own shells as part of the curriculum. A "shell" is something relatively simple.

You really think you're ridiculously complex "modern browser" is "safe"? Safer than your shell?

http://www.youtube.com/watch?v=c8cQ0yU89sk

When your use the shell, you trust the people who provide your OS's kernel, the compiler, libraries and userland and those 3d party applications, if any, you choose to run. That's already a lot of people and a lot of code. When you use a "modern browser" who do you trust? I can't even begin to quantify it.

As a very well respected cryptographer once wrote, security may be less a matter of reducing privilege than of reducing the amount of trusted code. The only reason you even have a concet of "privilege" is because it's a relic of shared computing. Everyone has their own computer now. There's no such thing as "root" in Plan 9.

Compare the LOC in a basic shell with the LOC in your web browser.

link
sciurus 5044 days ago
This discussion began when people pointed out that running shell scripts directly from the web was a Very Bad Idea. You then seemed to claim that browsing with javascript enabled was a similarly bad idea. I simply pointed out that they weren't equivalent at all, since the web browser was explicitly designed to execute untrusted code while your shell most certainly is not. I did not argue that web browser security was foolproof, and you're welcome to disable javascript and similar browser features if you feel it's a good tradeoff of functionality and security for you.
link