Everything good about Python except GUI IDE?

Steven D'Aprano steve at pearwood.info
Tue Mar 1 21:22:58 EST 2016 

On Wed, 2 Mar 2016 05:07 am, Chris Angelico wrote:

> On Wed, Mar 2, 2016 at 3:44 AM, Steven D'Aprano <steve at pearwood.info>
> wrote:

>> A better analogy is:
>>
>> When I add cocaine to my stew, the result is a appallingly bad for those
>> who eat it. Do you have any idea how rough cocaine is on the human body
>> and brain? My wife likes the analogy, being on cocaine is like pressing
>> the accelerator of your car all the way to the floor, ALL THE TIME,
>> regardless of whether you are moving forward or stopped at the lights.
>> And yet, for some reason, people seem to like the cocaine-riddled stew,
>> and often ask me to add more cocaine.
>>
>> People cannot get enough of Javascript, no matter what it does to the
>> security and stability of their browser, no matter how many pop-ups it
>> launches or how much spyware and malware it installs, or how many times
>> it kills their browser.
> 
> s/cocaine/sriracha/ and I would agree with you, because there are
> places where JS can majorly enhance a web site, and it isn't going to
> kill you if you use it correctly. 

If by "kill" you mean "compromise your system", then JS absolutely can kill.
Running somebody else's code on your machine could have *any* consequence,
such as installing spyware, a spam-bot, ransomware, a keylogger that
results in your bank account being emptied, or (if the spyware is being run
by people who consider you an enemy of the state) literal death via a
midnight visit from the secret police or a Hellfire missile fired through
your window.


https://community.rapid7.com/community/metasploit/blog/2014/01/23/firefox-privileged-payloads

http://er.educause.edu/blogs/2016/2/fast-forward-javascript-api-exploits

http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

https://www.vidder.com/resources/attacks/javascript-device-exploit.html

https://www.usenix.org/legacy/event/woot08/tech/full_papers/daniel/daniel_html/

http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1487635#vtab-characteristics


(The last one typos the malware as "Java" code, but if you read on you'll
see they actually mean Javascript.)


As a web developer, if you host ads, your viewers at the mercy of malware:

https://en.wikipedia.org/wiki/Malvertising

Most malicious advertising is still written in Flash/ActionScript (a variant
of Javascript), but some use Javascript:

http://www.pcworld.com/article/3039816/security/malvertising-campaigns-are-becoming-harder-to-detect.html




-- 
Steven

More information about the Python-list mailing list