Javascript on steroids!

Ok, how do you programmaticall y send a particular keystroke to Firefox?
I do not mean detect a keystroke.

http://groups.google.com/group/comp....f185f19fb2d0f4

drclue wrote:

Would you like to display the weather,
stocks,movie listings or perhaps send someone an
SMS text message or fax?

Did you think Google or Yahoo maps was cool?

No matter the back end or third-party resource ,
chances are I could glue it all together
with simple javascript running in your page.

Want to know how it works , want to contribute,
want a turn key? say something!

I've been coding the internet since 1994 and
programming in general since before the advent
of the "PC".

It was only a couple days ago you left a similar promo for lampjack.

<URL:
http://groups.google.c om/group/comp.lang.javas cript/msg/827b1d86a79f9a7 5>

You didn't leave a url then and now you are trying to build hype again
with mystery.

<URL: http://www.lampjack.co m/>

You said your website is only in the development stage and works in
Firefox. Are you really ready for the onslaught of enthusiasm these
posts will generate?

Peter

pe**********@gm ail.com wrote:

>
It was only a couple days ago you left a similar promo for lampjack.

<URL:
http://groups.google.c om/group/comp.lang.javas cript/msg/827b1d86a79f9a7 5>

You didn't leave a url then and now you are trying to build hype again
with mystery.

<URL: http://www.lampjack.co m/>

You said your website is only in the development stage and works in
Firefox. Are you really ready for the onslaught of enthusiasm these
posts will generate?

Actually , yes I am ready for what I'm asking for.

I could offer free sex in the NG's and only see a trickle
of responses, but heck if you or others have code they would
like to run cross domain , or who would like to be early adopters ,
I'm there. I'll take what few if any folks actually respond and use them
as my focus group in refining the service both for the WYSIWYG crowd
and the down and dirty coder with some cool script, or even
the coder who wishes javascript could run a database and I will grant
their wish.

I'm making all the server side stuff up for grabs as cross-domain
javascript. Googlemaps is nice , but I'm offering to broker that and
anything else. You write the javascript and I'll provide the server side
back end and proxy stuff

Anyone up for javascript o steroids?

pe**********@gm ail.com wrote:
<snip>

... and now you are trying to build hype again
with mystery.

<snip>

Mystery is what should be expected, because any laying it on the line
about what the proposed system actual does in likely to elicit many
posts pointing out what a very bad idea it would be for any web site to
use the resulting system.

Google, a large organisation with some regard for its reputation, point
out that they may, at their own discretion, introduce advertising to
Google maps at any time (implying that those employing google maps but
not wanting the advertising will have to move to a commercial
alternative, also provided by Google). What might a less scrupulous
organisation do with centrally sourced script resources? Might they not
see financial advantage in including a speculative spyware installer in
say 1 in 1000 requests for a script? The odds of that being noticed
would be low, and an infected user would probably blame the web site
they were viewing rather than the originator of the scripts, if they
noticed at all. The same goes for a whole host of possible alternative
undesirable insertions. The risks in dynamically sourcing client-side
scripts from third parties are too great for any but the most reputable
sources to be considered.

Richard.

Richard Cornford wrote:

pe**********@gm ail.com wrote:
<snip>

>... and now you are trying to build hype again
with mystery.

<snip>

Mystery is what should be expected, because any laying it on the line
about what the proposed system actual does in likely to elicit many
posts pointing out what a very bad idea it would be for any web site to
use the resulting system.

Laying it all on the line would probably get me the wrong
crowd. Not because it is a bad idea , but rather that it is a young
idea of significant worth that is best served by an initial group
of talented users that could both make the best use of the
infrastructure and make the wisest comments and contributions.

Google, a large organisation with some regard for its reputation, point
out that they may, at their own discretion, introduce advertising to
Google maps at any time (implying that those employing google maps but
not wanting the advertising will have to move to a commercial
alternative, also provided by Google).

I appreciate this concern and here will answer it most honestly.
Those using the infrastructure for free may see injected advertising
over time to afford the free services. Those opting to pay for
infrastructure will certainly not see ads in their pages.
It is our hope that the math will work out such that ads will only
be displayed for x number of uses

What might a less scrupulous
organisation do with centrally sourced script resources? Might they not
see financial advantage in including a speculative spyware installer in
say 1 in 1000 requests for a script?

That would be a rude thing to do, and since I am the only one who
totally understands the hand written server side , I will not allow it.
While I do afford a statistical product of user behavior , nothing about
a particular user is ever allowed to be a matter of commerce.

The odds of that being noticed
would be low, and an infected user would probably blame the web site
they were viewing rather than the originator of the scripts, if they
noticed at all. The same goes for a whole host of possible alternative
undesirable insertions. The risks in dynamically sourcing client-side
scripts from third parties are too great for any but the most reputable
sources to be considered.

My reputation , such as it is reaches back to ~1994 as related to the
internet and could never be associated with any harvesting or spamming
operation. Matter-O-Fact to the dismay of some, our SMTP system is
specifically designed to suppress any attempts at spamming and at the
same time affords a system of attribution for every email sent and soon
will include in each mails headers information that will allow us to
swiftly deal with those who might abuse the resources.

drclue wrote:

Richard Cornford wrote:

>pe**********@gm ail.com wrote:
<snip>

>>... and now you are trying to build hype again
with mystery.

<snip>

Mystery is what should be expected, because any laying
it on the line about what the proposed system actual
does in likely to elicit many posts pointing out what
a very bad idea it would be for any web site to use
the resulting system.

Laying it all on the line would probably get me the wrong
crowd. Not because it is a bad idea , but rather that it
is a young idea of significant worth that is best served
by an initial group of talented users that could both make
the best use of the infrastructure and make the wisest
comments and contributions.

Which does not stop it from still being a bad idea.

>Google, a large organisation with some regard for its
reputation, point out that they may, at their own
discretion, introduce advertising to Google maps at
any time (implying that those employing google maps
but not wanting the advertising will have to move to
a commercial alternative, also provided by Google).

I appreciate this concern and here will answer it most
honestly.

The Epimenides paradox.

Those using the infrastructure for free may see injected
advertising over time to afford the free services.

So there is no question that the system will facilitate script injection
beyond the control of the web sites using it.

Those opting to pay for infrastructure will certainly not
see ads in their pages.

And what the eye doesn't see ...

It is our hope that the math will work out such that ads
will only be displayed for x number of uses

Presumably these adds are provided by third parties and then injected by
your server scripts. Which introduces the potential for another layer of
unscrupulous script insertion originating with the advertisers.

>What might a less scrupulous organisation do with
centrally sourced script resources? Might they not
see financial advantage in including a speculative
spyware installer in say 1 in 1000 requests for a script?

That would be a rude thing to do, and since I am the only
one who totally understands the hand written server side,
I will not allow it.

Which, apart from assuming honesty on your part, assumes you have
control now and retain control indefinitely. However, profit motivated
commercial ventures do change hands both when they are successful and
when they approach failure.

While I do afford a statistical product of user behavior,
nothing about a particular user is ever allowed to be a
matter of commerce.

You are planning to monitor user's behaviour?

>The odds of that being noticed would be low, ...

<snip>

>The risks in dynamically sourcing client-side
scripts from third parties are too great for
any but the most reputable sources to be considered.

My reputation , such as it is reaches back to ~1994 as
related to the internet and could never be associated
with any harvesting or spamming operation.

It is significant that your self-proclaimed long experience of the
Internet leaves you proposing that people do something that I would
consider suicidally reckless.

Matter-O-Fact to the dismay of some, our SMTP system is
specifically designed to suppress any attempts at spamming
and at the same time affords a system of attribution for
every email sent and soon will include in each mails
headers information that will allow us to swiftly deal
with those who might abuse the resources.

Web site security is largely a matter of exercising and keeping control
where you have control, on your own servers. Letting a third party
inject scripts on the client is sufficiently risky to make loud
assertions of honesty, responsibility and safety made by the providers
of those scripts insufficient justification for using them.

Richard.

Richard Cornford wrote:

Web site security is largely a matter of exercising and keeping control
where you have control, on your own servers. Letting a third party
inject scripts on the client is sufficiently risky to make loud
assertions of honesty, responsibility and safety made by the providers
of those scripts insufficient justification for using them.

So let's all ditch our on-line banking , throw out the googlemaps, turn
off our javascript and join our friends huddled in an undisclosed
location, crying loudly about weapons of mass destruction. :)

drclue wrote:

Richard Cornford wrote:

>Web site security is largely a matter of exercising and keeping
control where you have control, on your own servers. Letting a
third party inject scripts on the client is sufficiently risky to
make loud assertions of honesty, responsibility and safety
made by the providers of those scripts insufficient justification
for using them.

So let's all ditch our on-line banking , throw out the googlemaps,
turn off our javascript and join our friends huddled in an
undisclosed location, crying loudly about weapons of mass
destruction. :)

Why? Serving scripts from our own servers (and so being certain of what
will be in them) is hardly arduous.

Richard.

Richard Cornford wrote:

drclue wrote:

>Richard Cornford wrote:

>>Web site security is largely a matter of exercising and keeping
control where you have control, on your own servers. Letting a
third party inject scripts on the client is sufficiently risky to
make loud assertions of honesty, responsibility and safety
made by the providers of those scripts insufficient justification
for using them.

So let's all ditch our on-line banking , throw out the googlemaps,
turn off our javascript and join our friends huddled in an
undisclosed location, crying loudly about weapons of mass
destruction. :)

Why? Serving scripts from our own servers (and so being certain of what
will be in them) is hardly arduous.

It certainly would appear an arduous attitude
to jump out the box painting our efforts with such a broad brush.

All the scripts in LAMPjack are delivered from our LAMPjack servers
which makes a certified LAMPjack about as dangerous as a Googlemap.

In order to even develop, submit or use a LAMPjack script,
one has to have a verified account and the appropriate site and
session keys.

The target page would also have to cooperate by requesting
the infrastructure wLAMPjack.js and additionally
requesting specific functionality via class entry
<div class="wPoint_x xxx" /to even load a LAMPjack.

Any potential Ads would be injected in a fashion that precludes
cross domain scripting into the LAMPjack/Subscriber context,
as I agree that totally third party content needs to be caged.
Those third parties could also use LAMPjack, but only from their
own context, so those ads would only pose the same threat
as every other ad we see on the internet.

As to monitoring activities , even *YOUR* site logs every
request, right down to my IP address, so in order to avoid
log files we all need to give up using the internet at all
and/or hunker down in the dark nets and pay for fear by
the month, which still does not really protect anyone, but it sells.

As recent years demonstrate, fear sells well. ( A little Y2K anyone?)
Even 9/11 the horrific thing it was , has been abused
to sell hundred of billions of dollars in goods and services.
"commies" has been traded in for "terrorists " and
the lessons of McCarthyism have been forgotten as
the cost of 100% security is the 100% loss of freedom.

I give someone a news ticker , a googlesearch , perhaps
a membership tool , shopping basket or their local weather, and
suddenly we are talking global doom, so lets all hunker down
lock our doors and live in in abject fear, for the
quest of feeling totally secure.

Would a system not using LAMPjack be 100% secure? No.
The only system that comes close is one that's left in it's
shipping carton and never plugged in.

Even banks get hacked on an all to frequent basis,
so the idea is to make the security stiff enough
to exceed the value of the prize.

With a simple vise , a file , and a key, one can make
a master key for all locks of that type w/o ever seeing
the lock or the legitimate key, and so using your logic set
I could justify eliminating the benefit of doors , because
their locks can be opened by some high school kid

Was/Is security kept in mind? Of course.
Will there be challenges? Most certainly.
Are they insurmountable? Certainly not.

My belief is that cross-domain scripting can in conjunction
with server side tools provide a reasonably safe context
in which to conduct it's activities.