Javascript on steroids!

drclue wrote:

>
It certainly would appear an arduous attitude
to jump out the box painting our efforts with such a broad brush.

I think it would have been better to introduce LAMPJack with a brief
description of how the technology works overall: your server, my
server, client browser and all the communcation between them. Then
people would have some idea why LAMPJacks are so cool.

Peter

runner7 wrote:

Ok, how do you programmaticall y send a particular keystroke to Firefox?
I do not mean detect a keystroke.

http://groups.google.com/group/comp....f185f19fb2d0f4

LAMPjack does not add anything that would
enhance ones ability to mimic keystrokes.

On the other hand, LAMPjack could in some cases
be used to route data from one place to another
including a form submission.

Being as the LAMPjack infrastructure counts
transactions/frequencies/sequences and other things,
one would need to get special permission to
do a lot of them otherwise in some cases
the account to might be flagged or disabled
by the infrastructure.

drclue wrote:

Richard Cornford wrote:

>drclue wrote:

>>Richard Cornford wrote:
Web site security is largely a matter of exercising and keeping
control where you have control, on your own servers. Letting a
third party inject scripts on the client is sufficiently risky to
make loud assertions of honesty, responsibility and safety
made by the providers of those scripts insufficient justification
for using them.

So let's all ditch our on-line banking , throw out the googlemaps,
turn off our javascript and join our friends huddled in an
undisclosed location, crying loudly about weapons of mass
destruction . :)

Why? Serving scripts from our own servers (and so being certain of
what will be in them) is hardly arduous.

It certainly would appear an arduous attitude
to jump out the box painting our efforts with such
a broad brush.

All I did was point out that in the hands of the unscrupulous a system
that asks sites to include client-side scripts originating on a remote
server could be used to inject arbitrary malicious scripts in a way that
was very difficult to observe, but may be seriously damaging for the
reputation of the web site's owners and the financial well being and
privacy of their users. That is just a fact, what can be done with
scripts injected on the client is anything that can be done by any
script on the page.

All the scripts in LAMPjack are delivered from our
LAMPjack servers which makes a certified LAMPjack
about as dangerous as a Googlemap.

Two things speak for the safety of google maps: 1. Google's reputation
(which you would hope they would not want to endanger), and 2. The
technical competence of google's developers. Given that google has a
long history of tolerating script injection the later is not much of a
reassurance, though as google will not be using Googlemaps to inject
malicious scripts (to preserve their reputation) no injections will be
possible until they start including advertising (and their developers do
appear to finally getting to grips with their script insertion
problems).

In order to even develop, submit or use a LAMPjack
script, one has to have a verified account and the
appropriate site and session keys.

Aren't the people who would be developing the scripts for your system
the ones creating the lures that will encourage the people who have web
sites to use the system? There is little significance in these two
groups having "verified accounts".

The target page would also have to cooperate

Yes, you cannot force alien client side scripts into a page, it has to
invite them in (a bit like vampires).

<snip>

Any potential Ads would be injected in a fashion
that precludes cross domain scripting into the
LAMPjack/Subscriber context,

Details?

as I agree that totally third party content needs
to be caged.

But you promise everyone that your position as a third party would never
be abused?

Those third parties could also use LAMPjack, but only
from their own context, so those ads would only pose
the same threat as every other ad we see on the internet.

As to monitoring activities , even *YOUR* site
logs every request, right down to my IP address,

And if I included a script that did it I could monitor every key stroke
the user made and broadcast it back to my server, speculatively test for
the ability to install software (and install things (read spyware) on
the client if the ability was exposed) and so on. Of course I have no
reason for monitoring password and reading credit card numbers as they,
if entered, are going to be sent to me anyway, but if a third party
could upload those scripts to sites I am responsible for then they may
see considerable value in what they could achieve.

so in order to avoid log files we all need to give
up using the internet at all and/or hunker down in
the dark nets and pay for fear by the month, which
still does not really protect anyone, but it sells.

That is a "slippery slope" argument that doesn't quite work.

<snip>

Would a system not using LAMPjack be 100%
secure? No. The only system that comes close
is one that's left in it's shipping carton and
never plugged in.

Are you saying that if you cannot be 100% secure you may as well be wide
open to anything?

The only system that comes close is one that's left in it's
shipping carton and never plugged in.

Even banks get hacked on an all to frequent basis,
so the idea is to make the security stiff enough
to exceed the value of the prize.

With a simple vise , a file , and a key, one can make
a master key for all locks of that type ...

<snip>

That is not at all true. A lock as simple as the Yale lock, for example,
has no master key at all, so no such object could be created.

My belief is that cross-domain scripting can in
conjunction with server side tools provide a reasonably
safe context in which to conduct it's activities.

Don't be ridicules. Your system is absolutely reliant on the owners of
web sites being willing in include scripts in their pages soured from a
third party server. At that moment client side security is already out
of the window. The only safety these web sites will have come from
exactly the same sources as Googlemap's; Your technical competence (and
you already know what I think of that), and your reputation (which is
not something I would hang a web site upon).

The problem here is that if your intentions were to exploit the gullible
and leach information form the user's of their web sties for your own
financial gain how would what you would then post in order to lure
people into using the system differ from what you have posted here?

Richard.

pe**********@gm ail.com wrote:

drclue wrote:

>It certainly would appear an arduous attitude
to jump out the box painting our efforts with such a broad brush.

I think it would have been better to introduce LAMPJack with a brief
description of how the technology works overall: your server, my
server, client browser and all the communcation between them. Then
people would have some idea why LAMPJacks are so cool.

My experience has been that a year's worth of food is best eaten
a bit at a time. I generally don't read nor respond to messages
of the girth that would be required to express the last years
development effort in one meal.

Richard Cornford wrote:

>With a simple vise , a file , and a key, one can make
a master key for all locks of that type ...

<snip>

That is not at all true. A lock as simple as the Yale lock, for example,
has no master key at all, so no such object could be created.

Please feel free to search for "bumpkey" which among other links
should explains the the simple physics involved in making
master keys for almost any lock relying on pin tumblers.

If you like I think that YouTube.com has several fine
educational videos on the subject.

So I will file your latest *it can't be done* claim with your
other comments of similar quality.

drclue wrote:

Richard Cornford wrote:

>>With a simple vise , a file , and a key, one can make
a master key for all locks of that type ...

<snip>

That is not at all true. A lock as simple as the Yale lock, for example,
has no master key at all, so no such object could be created.

Please feel free to search for "bumpkey" which among other links
should explains the the simple physics involved in making
master keys for almost any lock relying on pin tumblers.

<snip>

That device is not a master key it is a lock picking tool. I did not
say Yale locks were not easy to pick just that it is not possible to
make a master key for them. But if you need another example, how are
you going to make a master key for a 5 leaver Chubb lock?

Richard.

Richard Cornford wrote:

drclue wrote:

>Richard Cornford wrote:

>>>With a simple vise , a file , and a key, one can make
a master key for all locks of that type ...
<snip>

That is not at all true. A lock as simple as the Yale lock, for example,
has no master key at all, so no such object could be created.

Please feel free to search for "bumpkey" which among other links
should explains the the simple physics involved in making
master keys for almost any lock relying on pin tumblers.

<snip>

That device is not a master key it is a lock picking tool.

The Merriam-Webster Online Dictionary defines a "Master Key"
as "a key designed to open several different locks".
That's exactly what a bumpkey is.

I did not say Yale locks were not easy to pick just that it is not possible to
make a master key for them. But if you need another example, how are
you going to make a master key for a 5 leaver Chubb lock?

The Chubb looks to be a pin cylinder lock as opposed to
a pin tumbler lock. ( different animal ). If your interested
in such things I would direct you to a very entertaining resource
http://www.toool.nl/index-eng.php

The point is that security is more a deterrent than any kind
of guarantee, be it an internet service or your house's own
front door. The size and complexity of the lock or other
security mechanism needs to be inline with the item being protected,
which is why although most bathroom doors have a lock, they
are designed to the level of the prize ( Ones modesty ) in this case.

Likewise the various layers of LAMPjack security are aimed at
the level of the prize they protect, although most would be much
harder to bypass than the average house or businesses front door.

Even your local bank likely uses a plain old lock on the front door
as that guards the prize of the lobby, while a heavier security
is used on the vault where the actual money is.

In the LAMPjack system we defer things like credit card processing
to third parties like PayPal whose specialty is the bank vault side
of things. This allows us to keep the prize level down on LAMPjack
services while at the same time we are always looking for ways
to make LAMPjack security an ever increasing deterrent.

The API supports both sever encrypted site keys,
and sever encrypted session keys that can depending on the level
of deterrent required be unique for each transaction.

drclue wrote:

Richard Cornford wrote:

>drclue wrote:

<snip>

>>Please feel free to search for "bumpkey" ...

<snip>

>>
That device is not a master key it is a lock picking tool.

The Merriam-Webster Online Dictionary defines a "Master Key"
as "a key designed to open several different locks".

A lock picking tool is not a key.

That's exactly what a bumpkey is.

It is a device for opening locks of a particular type, that does not, of
itself, make it a key.

>I did not say Yale locks were not easy to pick just that
it is not possible to make a master key for them. But
if you need another example, how are you going to make
a master key for a 5 leaver Chubb lock?

The Chubb looks to be a pin cylinder lock

The 5 leaver Chubb lock is a leaver lock (with 5 leavers, surprisingly
enough). No pins and no cylinders.

... If your interested in such things ...

<snip>

No, my interest does not go beyond testing the veracity of your claim
that "With a simple vise, a file, and a key, one can make a master key
for all locks of that type". As you have now started evading the
question I assume you have realised that it was a false statement, as I
asserted.

The point is that security is more a deterrent than
any kind of guarantee, ...

<snip>

With your proposed system the issues are not keeping people out but
instead the owners of web sites inviting third party scripts in, and
then having the problem of how they are going to police those third
party scripts to ensure that they do not attempt to do anything
malicious to the site's users. Verbal assurances from the source of
those third party scripts are of no value in answering the question as
the dishonest will tell lies to achieve their ends.

Richard.

Richard Cornford wrote:

With your proposed system the issues are not keeping people out but
instead the owners of web sites inviting third party scripts in, and
then having the problem of how they are going to police those third
party scripts to ensure that they do not attempt to do anything
malicious to the site's users. Verbal assurances from the source of
those third party scripts are of no value in answering the question as
the dishonest will tell lies to achieve their ends.

You mean in a fashion similar to your quoting tactics designed to
reverse the meaning of a quote by taking it out of context?

We have a business plan that is based upon providing
users with successful transactions at a
fraction of a penny each or ad exchange , in which
case an advertiser pays the transaction costs.

Each transaction is backed by LAMPjack server logs
which can be audited against the client's and/or
advertisers web logs to assure via a source independent
of LAMPjack , that the transactions are valid and
not "made up".

Each LAMPjack is by nature "open-source" , so you , the client,
the advertiser or anyone else can examine the code to
see if there is any deviousness afoot.

Even the main LAMPjack javascript infrastructure files
are again by their very nature open source.

In a LAMPjack or even LAMPjack infrastructure , there
is really no place to hide a bad deed in the javascript.

This basically leaves the data that flows through
the server side. Ones LAMPjack login , the inputs to
proxy services like the weather, geocoders, stock and
news tickers ,shopping baskets and other while cool
services, not exactly the basis for a scam. At least not one
that could not be achieved far easier via other means and
at far less cost.

For the moment I'll assume your quoting behavior was simply born
of haste. I'm more than willing to have a *productive*
discussion about the general security aspects of LAMPjack
or even gasp the productive things you can do with it, but
the broken record of fear mongering is likely to brand you a troll.

drclue wrote:

Richard Cornford wrote:

<snip>

>... . Verbal assurances from the source of those third
party scripts are of no value in answering the question as
the dishonest will tell lies to achieve their ends.

You mean in a fashion similar to your quoting tactics designed to
reverse the meaning of a quote by taking it out of context?

Others can judge that for themselves.

<snip>

Each LAMPjack is by nature "open-source" , so you , the client,
the advertiser or anyone else can examine the code to
see if there is any deviousness afoot.

Inevitably they can look at the source, but if malicious injections
were kept to lowish percentage of actual request (and not server to
repeated request from the same IP address (within a period of, say, one
day), which is what a site owner may decide to do in order to verify
that there were no intermittent malicious injections, even though they
would be paying for the privilege) then the odds of detection would be
low (as the onus to detect would mostly be on non-technically skilled
browser users).

And there is the question of whether someone who is employing third
party scripts is qualified to identify a malicious script form its
(potentially obfuscated and compacted) source code.

Even the main LAMPjack javascript infrastructure files
are again by their very nature open source.

In a LAMPjack or even LAMPjack infrastructure , there
is really no place to hide a bad deed in the javascript.

Hide from who? If you are the one doing the injecting then you can
insert anything from any hidden/personal source you like.
<snip>

For the moment I'll assume your quoting behavior was
simply born of haste. I'm more than willing to have a
*productive* discussion about the general security
aspects of LAMPjack

No you are not. You want to suggest that everything is safe an above
board but you cannot deal with the problem that you system has the
potential to inject arbitrary scripts into the web pages of any web
site that uses it, and your assurances that it is safe would not differ
if your intentions were dishonest. Indeed your unwillingness to admit
that your system should be regarded as a security issue by its
potential users (the web site owning users), and that they should
expect some sort of verified and underwritten guarantees of your good
intentions (with draconian and enforceable penalty clauses if you
transgress), at minimum, speaks against your trustworthiness . As do
your continued efforts to deflect attention from my comments with
irrelevancies and your resorting to personal comments.

or even gasp the productive things you can do with it, but
the broken record of fear mongering is likely to brand you
a troll.

The potential exists, you don't have Google's reputation (at all, or to
defend) and your assertions that there are no security issues is not
reassuring, and is even suspicious in itself.

Richard.