
Who need XSS when you can simply ask? - judofyr
http://www.reddit.com/r/programming/comments/9oj39/javascript_in_a_single_picture_seen_on_a/
======
startingup
Summary (it is all a little meta for me): the reddit link above started as a
fairly innocuous reddit thread comparing the sizes of the two books
"Javascript - The Definitive Guide" and "Javascript - The Good Parts" - the
Good Parts being a good deal smaller as the linked photograph illustrates.

Some wise guy decided to have a little joke, and posted a comment instructing
people to copy and paste a snippet of Javascript on their URL location bar. A
_lot_ of people (presumably "web programmers") did as instructed. That little
snippet posts a comment on that same thread, instructing the next person to do
the same. That entire reddit thread is overrun with those script generated
comments.

Social lesson: we are f __ked as far as security is concerned, if that reddit
thread is any indication: even programmers would sheep-like do as they are
instructed. I suppose that was the "lesson" the wise guy had in mind.

Some good samaritan posted another Javascript snippet to clean up the reddit
thread - automatically downvote the spam comments or hide them.

~~~
TheElder
I would have to assume that people knew better, knew what it would do, and ran
the JS anyways as a joke.

~~~
salvadors
You do, of course, know the problem with assuming?

(And Ming can be merciless about such things)

------
camccann
This is an excellent illustration of a core principle of security: anything
relying on "educate the user so that they know better" is doomed to failure.

~~~
raganwald
To be precise, _anything relying on "educate the user so that they know
better" is doomed to be insecure._ It is likely to be successful in the sense
of becoming popular because it offers humans someone else to blame.

For example, if I am in IT and I tell people to choose a 512 character
password with alphanumeric characters that changes every day and doesn't
repeat any sequence that appeared in a previous password or contain a
dictionary word, I can expect people to write their passwords down on paper
and get hacked, even if I tell them not to write it down.

But I can always blame them for writing them down, few people will blame me
for being too lazy to find another way to secure the system.

~~~
Sidnicious
In most cases, users will either:

1\. Choose a memorable (read: simple, dictionary, insecure) password

2\. Choose a good password and write it down

If Joe the Cubedweller writes his login password down on a sticky note, the
only other people who are expected to have physical access to that note are
him and the other cubedwellers, and they're going to have little to gain from
seeing it. I would be much more concerned with Joe picking a bad password that
could be guessed by an attacker on the outside.

~~~
req2
Memorable passwords don't need to be simple, dictionary, or insecure.

MySonPlaysLittleLeague is a password that someone can easily remember, but few
people get pointed in the direction of good sentence passwords, and most
password policies indirectly limit the use of sentence passwords with
character limits or number and punctuation requirements.

~~~
salvadors
My favourite technique isn't to make the sentence itself the password, but the
first letter of each word (with some punctuation thrown in for good measure).
E.g. pick a line or two from a song, like "All the fear has left me now / I'm
not frightened anymore" and that becomes "atfhlmn-infa" (if it's something
that insists on digits too then you can easily do a substitution like
"atfhlmn-1nfa"). Memorable without being insecure.

------
prosa
Makes you wonder how many popular websites are using code snippets copied and
pasted verbatim from the web.

------
dredge
Excellent! Took me a while to work out what was going on there. I'm going to
blame it on the apparent removal of the comment that started it though.

~~~
jrp
For others: scroll to the lower part of the page.

~~~
NathanKP
When I viewed it there were about 50 spammed comments. That was a cute worm
attack. ;)

------
mcantor
"Given a choice between dancing pigs and security, users will pick dancing
pigs every time." - Edward Felten and Gary McGraw

------
throw_away
It's gotten worse in the last hour or so. Someone's modified the worm so that
simply looking at a page with the comment will cause you to start replying to
all the posts on that page. Coupled with the fact that reddit has the
"red/orange envelope" feature, whereby users are notified if somebody replies
to their posts, and the fact that users tend to watch for said envelope in
anticipation, the site seems to be melting down.

~~~
eli
It's actually when they mouseover any link, and it's mostly thanks to a nasty
bug in the Python markdown implementation.

------
mahmud
"Javascipt The Good Parts" is to the Rhino book what "The Little Lisper" is to
the hyperspec.

~~~
tlrobinson
The rhino book is still an invaluable reference.

I own both, I've read both, but the rhino book is the one sitting on my desk
24x7.

~~~
mahmud
No Common Lisper can live without the Hyperspec; it doesn't sit on our desks
but its content is interwoven with every Lisp IDE and with SLIME.

------
buugs
At first I thought it was the picture that was causing all those posts because
I didn't think people were really dumb enough to paste javascript in their
browser when they don't even know what it does (especially on the programming
reddit...)

Way to prove my belief wrong!

~~~
TheElder
Probably many knew what it would do, so that's why they ran it, as a
prank/joke.

------
iuguy
Reminds me of the save this picture as foo.js shit bricks attacks on 4chan.

