You're trolling, whether you mean to be or not. You can't name an anything with a perfect security track record. And this time, you're trolling in service of a stupid argument: that we can have either an insecure Internet-as-we-know-it, or no Internet-as-we-know-it at all. Well, no shit.
tptacek, you built a false dichotomy, and then you pretended I said it
so you could have a straw man to knock down. We can laugh about it over
a beer the next time you visit the valley.
When a friend tells me I'm trolling, even unintentionally trolling, and
even if it was expressed through a fallacious argument, it's time to
stop and rethink. Something is definitely wrong.
I seriously thought about just dropping this, not responding and letting
this thread die of natural causes. But I would be setting a bad example
by doing nothing, or taking it privately to email. $DIETY knows HN needs
more good examples of responding properly under pressure on contentious
issues, and with some luck and effort, I'll hopefully write one.
It seems tptacek meant "Web-as-we-know-it" but I really do get his
point; people are now accustomed to executing code from any source via
web browsers and javascript. It undeniably is the status quo. Me and my
outdated, curmudgeonly views have never agreed with the idea of
executing code from any source. I am undoubtedly a minority.
The problem is, why is it such a terrible sin to question if the risks
are worth the rewards, voice flaws in the design, and try to look for
better alternatives? --In other words, why is everyone forced to accept
the "as-we-know-it" part without question?
Wanting to improve the as-we-know-it is vastly different from wanting to
abandon everything. I'm always in favor of trying to improve the status
quo. I know for certain the same is true for tptacek and although I
don't know him, I'd bet the same is true for daeken.
It's safe to say all of us "violently agree" that there is no such thing
as perfectly secure code, and it makes no difference if the code is only
handling data or if it is attempting to execute other code in a
sandboxed virtual machine such as javascript.
Javascript has unimaginably huge investment and momentum behind it. The
overwhelmingly vast majority of people have a vested interest in
javascript, either as a company or developer, but also as just a user.
It won't be abandoned overnight. Similar is true for other problematic
aspects of the web including CSS and frames. In short, there is a damn
good reason why unpopular views are very unpopular --Billions (if not
more) of investment would be lost if these things were abandoned.
With all of that said, browser exploits are painfully common. If you
reread tptacek original comment:
> Because pretty much all the browsers, on a better-than-quarterly
basis, fall victim to attacks that allow arbitrary web pages to upload
code into their processes and run it. Just not sure this needed the
"attack class" name.
you can see browser exploits happens regularly enough to cause
significant damages, but even mentioning the underlying problems results
in, "You're trolling... Internet-as-we-know-it... no shit." and
similar. It doesn't need to be that way, but around here, it almost
always happens. The very idea of finding something better than the
status quo of javascript and endless browser exploits is far too
intimidating and unreasonable for most people. If you make your living
from javascript or you're just a casual user, it is terrifying to think
what would happen if it suddenly stopped working at 3pm tomorrow. When
an idea contrary to the status quo is voiced, many people succumb to the
irrational thinking of a sudden change and the associated irrational
fears. But...
The reasonable man adapts himself to the world. The unreasonable
man persists in trying to adapt the world to himself. Therefore,
all progress depends on the unreasonable man.
-- George Bernard Shaw
Being unreasonable is never a license to troll; the efforts and
investments of others have value and should be respected, but making
improvements should remain open for discussion. Maybe I am
unreasonable, but I do have good reason for it; our status quo is
repeatedly broken. Taking offense to reality will simply prevent you
from improving the situation, and worse, shouting-down others for
venturing where you fear to tread may prevent them from improving the
status quo for you.
If you can't talk about a problem, then you have a bigger problem.
The problem is that you said they would execute 'ALL' code, which is not only terribly misleading but technically incorrect. It's a false statement that has no place in a proper discussion.
Also I think it's unreasonable to expect a browser without javascript to be significantly safer. Look at all the code-execution exploits in image decoders.
Insistently trying to relitigate all of Javascript on HN in response to an IE news story is trolling. The first such comment was just annoying, but when you pushed the point with someone who clearly wasn't interested in your orthogonal argument, it crossed the line.