Wednesday, October 1, 2014

Never Trust People Who Make Blanket Statements

To forestall counter-rants, that title is technically termed 'Delicious Irony'.

There are HTML entity names and numbers defined for some tiny little things in circles. ® or ® for Registered Trademarks, © or © for Copyright. They don't seem to work on blogger.com, at least in Preview, which is one more argument against using this environment, though there is likely some secret sauce you can apply if you are willing to be locked in. That was probably worth a small amount of snark, but I have to blow it off in favor of The Greater Snark.

What we could really use is a capital I in a tiny circle, defined as Irony. Because people seem to have a huge problem with recognizing it, even when they share the same language and cultural background, and even if it squats on their heads and barks. I have no definitive idea of why this is so, though I tend to think that John Scalzi showed a more than a bit of insight at http://whatever.scalzi.com/2010/06/16/the-failure-state-of-clever/.

On to Serious Security Stuff

Because I really do have a point to make. Two, actually.

Months ago, I ran across an article focused on 'we all love JavaScript'. node.js, ubiquitous tool on either side of the connection, love, love, love. 'We all' should have sent up a lot of warning flags--perhaps to the extent of 'I can stop reading now.' It is so horrendously hard to stay informed, in the current security landscape, that reasons to stop reading may be more useful than reasons to keep reading.

First Point

This is a language which was created in 1995, which contained a Y2K bug. It was a very silly time to create a language with short- versus long-dates. It was a time when when most Web sites were entirely static, Java applets could not be effectively downloaded over the current average bandwidth, and the quest for interactivity was on. The very name Javascript, which has no relation to Java, was all about marketing to this desperate audience. There is another rant in the works about marketing. I'll change this to a link when I post it.

Regarding Y2K: this was not nearly such a non-event as people (and trade press) who rate everything on an Internet Drama scale seem to think. The fact that Y2K had very little effect was more a measure of the vast resources expended on fixing the problems, and how effective those measures were. It was a huge win, but lacked Internet Drama, so it is now widely regarded as hype. Nothing could be further from the truth.

Second Point

The existence of http://shop.oreilly.com/product/9780596517748.do (JavaScript: The Good Parts).

The capsule description reads:
"Most programming languages contain good and bad parts, but JavaScript has more than its share of the bad, having been developed and released in a hurry before it could be refined. This authoritative book scrapes away these bad features to reveal a subset of JavaScript that's more reliable, readable, and maintainable than the..."

O'Reilly has arguably done huge damage to Internet security from their beginnings, when they coined the term 'LAMP'. Linux, Apache, MySQL, and PHP. The latter two components of which have not been, shall we say, filled with bliss, over the years. But love them or hate them, they do publish important titles, and this was one of them.

So, Is Everything FUBAR?

In broad strokes, yes. Things are generally FUBAR, in the general case of the overall security landscape. It has never really been otherwise. This is not necessarily true in every case.

There are instances where large Javascript libraries are deployed, unvetted, for no better reason than skinning a Web site. I will note that the ability to choose your color scheme seldom has anything to do with color-blindness issues, which would at least be a usability win for a surprisingly (to me, at least) common problem. OTOH, other libraries are deployed for reasons that are far more important than skinning (think financial institutions), and where vetting is just not done. The median is probably somewhere around MathJax, which is non-frivolous, is not widely deployed in sensitive consumer-facing applications, and is just cool as hell.

But history demands that we presume the worst case, and we need rock-solid analysis tools, the output of which we can walk up the management approval loop.

To Return to the Theme

Blanket statements are deserving of suspicion. They are probably a good reason to stop reading any Internet content, whether from a mainstream news outlet or social media. If you see statements beginning with, for example

{everyone|no one|we all}

and ending with (again, for example)

{knows|thinks|does|believes}

there is likely to be a problem with the content. It may be a simple lack of critical thought, but it could also be the advancement of a hidden agenda, for corporate, political, or other purposes. Propaganda, IOW. Marketing. Or perhaps you are only paying attention to fora exclusively populated by people who believe exactly as you do. Which is the group-think problem, taken to the limit, and one of the problems that the Internet has delivered to all of us.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.