flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
JS can jump both sandboxes and VMs. And it only takes one rogue/hacked website to do it. You can't trust JS. Ever. You never know what is being sent to your browser.

Even "trusted" websites become untrusted when your connection has been intercepted. And not just nation states can intercept your connection. Hotel WiFi is notorious for breaking TLS. Many large buildings have their own connection infrastructure. Many offices, businesses, universities and schools will connect you in their own way. And it only takes one bad node in any of the chain of boxes and now your computer has become part of a botnet.
Post 24 Mar 2017, 08:44
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
http://www.theregister.co.uk/2017/04/01/invisible_bitcoin_paywall/

Quote:
HTML5 offers a feature called “Web Workers” that lets web pages run JavaScript in the background of web pages. Those scripts have nothing to do with the user interface and can be invisible to users, other than the fact they consume some processor cycles.

The Register has used Web Workers to create a distributed bitcoin mining operation.

Yay, let's allow all websites to steal our CPU cycles. Because of course doing work for remote websites is much more important than anything you might be doing. Rolling Eyes
Post 03 Apr 2017, 02:02
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 764
Well what you say is correct in principle, but that is just April's Fools Laughing (because otherwise they'd keep their mouths shut)
Post 03 Apr 2017, 10:57
View user's profile Send private message Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 7940
Location: 22° 15' N | 114° 10' E

Furs wrote:
... but that is just April's Fools Laughing

The mod who always tries to trick other forum members into visiting his/her fake website got fooled! Laughing

Reminds me of this word: comeuppance.

Wink
Post 03 Apr 2017, 11:11
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex

YONG wrote:

Furs wrote:
... but that is just April's Fools Laughing

The mod who always tries to trick other forum members into visiting his/her fake website got fooled!

I already knew I am not perfect. So confirmation of such things is good. Smile
Post 03 Apr 2017, 14:14
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 789
Location: Jakarta, Indonesia
A day without Javascript

Hmm that means no Youtube, no Google mail, no Google maps, etc
Let's see if can survive a day without it Smile
Post 07 Jun 2017, 13:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
I can use Youtube (with a browser extension) and gmail, but google maps doesn't work. There are alternative video, mail and mapping sites though, Google doesn't own the Internet.

TmX: Enjoy.
Post 07 Jun 2017, 13:30
View user's profile Send private message Visit poster's website Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 7940
Location: 22° 15' N | 114° 10' E

TmX wrote:
A day without Javascript

Hmm that means no Youtube, no Google mail, no Google maps, etc
Let's see if can survive a day without it Smile

I seldom use Google maps; HERE maps, provided by Windows Phone, is much better.

YouTube is mainly for entertainment. I can live without it.

Gmail is a must for me, unfortunately.

Wink
Post 08 Jun 2017, 02:13
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
https://securelist.com/78588/50-hashes-per-hour/

Quote:
... Java Script initiates the redirecting of web requests to a malicious local web page.

The attack fails if JS is not run. So if you want to help out the attackers then make sure to have JS available.
Post 10 Jun 2017, 00:06
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 764
I lol'd at "We bet you leave it on so you don’t have to wait until it boots up in the morning." Facepalm at humanity.
Post 10 Jun 2017, 11:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
Let's all help Facebook to control us. I'm sure we can trust Facebook to have our best interests as a first priority. There can't be any profit motive here at all:

http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-plans-to-watch-users-through-webcams-spy-patent-application-social-media-a7779711.html wrote:
Facebook is considering secretly watching and recording users through their webcams and smartphone cameras, a newly discovered patent suggests.

The document explains how the company would use technology to see how your facial expressions change when you come across different types of content on the site.

It would analyse those images to work out how you feel, and use the information to keep you on the site for longer.

It would be a shame if anyone decided to visit with JS disabled. That would be bad for Facebook. Sad

Very Happy


Last edited by revolution on 17 Jun 2017, 17:26; edited 1 time in total
Post 17 Jun 2017, 16:52
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 764
JS has access to your webcam secretly? What a monstrosity browser "feature" Confused

(also, best to not have a webcam too Wink if you're on a PC)
Post 17 Jun 2017, 17:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
I unplug the camera at the source on my laptops. The microphone also, although often mics are soldered in so they get a bit of the heat treatment instead.

Sometimes people ask me why I don't have some tape over my lens ...
Post 17 Jun 2017, 17:30
View user's profile Send private message Visit poster's website Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 7940
Location: 22° 15' N | 114° 10' E

Furs wrote:
JS has access to your webcam secretly? What a monstrosity browser "feature" Confused

Whenever the webcam is in use, the LED beside it will light up. Well, some older laptops may not have such an LED. Anyway.

Wink
Post 18 Jun 2017, 02:27
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
The LED is controlled by software though. Sometimes there is a delay before it comes on. Perhaps the camera can be activated briefly to capture an image and deactivated again while the LED remains dark?
Post 18 Jun 2017, 02:45
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6841
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
i stick a label on top of my laptop camera, i rarely use camera,
whenever i put my hand phone, i will cover it with something else at the camera part, Embarassed

i prefer they build those phone with sliding cover, i open it when i want to use it, simple, Laughing
Post 18 Jun 2017, 12:30
View user's profile Send private message Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 7940
Location: 22° 15' N | 114° 10' E

sleepsleep wrote:
i prefer they build those phone with sliding cover, i open it when i want to use it, simple, Laughing

My old ASUS laptop actually has such a sliding cover for its camera. Besides, it has a removable battery pack (that probably uses those 18650 cells)!

Wink
Post 19 Jun 2017, 02:10
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
https://www.alexkras.com/i-decided-to-disable-amp-on-my-site/

AMP is a Google JS library that hijacks links.

Quote:
In any case, to test my theory I opened Chrome Developer Tools to throttle my network connection to the slowest option available and to disable JavaScript. I navigated to an article on my site and it loaded in three seconds. I tried to use Google search and it was blazing fast, BUT I didn’t see any AMP links. Of course not, AMP links only show up when JavaScript is enabled.

I’ve re-enabled the JavaScript (while keeping the network speed slow) and tried to search for some AMP content. It took over 10 seconds just to load the news carousel.

As far as I am concerned, static content (without JavaScript) is still the king.

Post 26 Jun 2017, 15:04
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
Websites logging user-form data before it's submitted
And the tricks never end:

https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081

Although that link doesn't work without JS, but the text be extracted from the source.

Quote:
If you’re daydreaming about buying a home or need to lower the payment on the one you already have, you might pay a visit to the Quicken Loans mortgage calculator. You’ll be asked a quick succession of questions that reveal how much cash you have on hand or how much your home is worth and how close you are to paying it off. Then Quicken will tell you how much you’d owe per month if you got a loan from them and asks for your name, email address, and phone number.

You might fill in the contact form, but then have second thoughts. Do you really want to tell this company how much you’re worth or how in debt you are? You change your mind and close the page before clicking the Submit button and agreeing to Quicken’s privacy policy.

But it’s too late. Your email address and phone number have already been sent to a server at "murdoog.com," which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the "Submit" button.

During a recent investigation into how a drug-trial recruitment company called Acurian Health tracks down people who look online for information about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page. (It’s yet another way auto-fill can compromise your privacy.)

NaviStone is an Ohio-based startup in the business of identifying "ready to engage" customers and matching "previously anonymous website visitors to postal names and addresses." It says it can send postcards to the homes of anonymous website shoppers within a day or two of their visit, and that it’s capable of matching "60-70% of your anonymous site traffic to Postal names and addresses."

Yes, you guessed it, no JS means none of those underhanded things will work.
Post 29 Jun 2017, 12:09
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 764
WTF how is that even legal? I can understand logging IP addresses, but seriously home addresses and such? There is a reason this data falls under Privacy Policy. The fact they send it before even agreeing to the privacy policy should be illegal.
Post 29 Jun 2017, 13:50
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next

< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.