I just had a reminder of how huge a percentage of people simply fail to engage, at a fundamental level, with the basics of Internet security. My acquaintance James Redekop, who works as a veteran coder at an Internet firm in Ontario, said on a mailing list that he was unable to follow a link to an article on cincinnati.com because the site told him he'd reached his quota for gratis articles for the month. I thought, wait, what? That means.... Quoting James H.G. Redekop (james.hg.redekop@gmail.com):
On Tue, Jul 9, 2013 at 8:40 AM, Garrison Hilliard <garrison.hilliard@gmail.com> wrote:
Not too rainy in Cin. city, but...
Apparently, my free trial to this website I've never visited before has expired, so I can't read the article.
d00d, as always, it's a Javascript function. You're not using NoScript yet? I was stunned because James of all people should have long ago figured out _why_ something like NoScript is necessary. But then I was stunned a second time by his explanation of why he was doing without it: Quoting James H.G. Redekop (james.hg.redekop@gmail.com):
I'm at work, where I work on a cloud-based application which uses JavaScript, so I haven't bothered to install it here.
You've possibly made the error of assuming the name 'NoScript' means that it disables Javascript? I continue to be amazed how many people make that erroneous assumption.[1] I use it at work, and $FIRM has dozens of sites on which I need to be able to automatically run the served Javascript. So, that's what I have NoScript do for all such sites. [1] Put simply, NoScript _inverts_ Web browsers' default behaviour of being willing to run any JavaScript snippet on any page from any FQDN, by making that become default-no. On a per-site basis, you choose which FQDNs' snippets to enable either temporarily or permanently from then on. You also can (and should) tweak permitted Javascript behaviour in NoScript's preferences, which is a key advantage because the Javascript language is dangerously and horrifically overfeatured. You are warned that there is a learning curve in getting used to NoScript, and it's important to know how to use its overrides for difficult cases. The payoff is much better security and browser performance, there are far fewer instances of bombing out of memory, there is far lower RAM usage, there is much less junk on pages, video clips become optionally playable objects rather than autorunning irritations, and many paywalls like NY Times's and cincinnati.com's simply go away completely. (AdBlock Plus is a highly recommended companion measure.) In other words, James had failed to even investigate NoScript, never looking beyond its _name_, and assuming (in error) based solely on that name that it simply disables Javascript in some blanket fashion -- without taking even a few seconds to check. (Aside: Why would anyone write a Firefox extension merely to disable Javascript, anyway? That doesn't even make a tiny bit of sense.) The larger picture: Installing and tweaking add-on moficiations to basic software requires taking initiative, and I notice that hardly anyone ever does. In Feb. 2011, I gave a talk at Silicon Valley Linux User group called 'The Wild, Wild Web: Web Browser Security, Performance, and Privacy' (for which notes and slides are online), and made the point that Javascript is _the_ keystone technology one must wrestle back under user control if one hopes to enjoy reasonable security, performance, stability, and privacy. Thus the extreme need for NoScript or something like it. Even though, yes, using it does require you to get off your ass and do something on your own initiative rather than being a passive consumer. Near the end of my talk, I asked for an honest show of hands: 'Seriously now, and I would appreciate an honest answer and will take no offence at same, how many of you will serious consider any significant portion of the recommendations I'm making here today?' Out of a room of about 50-60 members of the audience, I think one hand went up. I thanked them for their refreshing honesty -- but was a bit appalled at the near-total disconnect between people understanding the problem and being willing to lift a finger to take corrective (but non-default) measures to deal with it. The even larger picture: I've notice that the rot has set in pretty deeply of people 'trying Linux' but never even considering doing anything non-default. We've now had about a decade's worth of participants for whom 'installing Linux' is just booting a distro installer and hitting the spacebar repeatedly with their foreheads until completion, who are utterly helpless to deal intelligently with driver and configuration issues, and who don't even really understand anything about their chosen distros, either. I started to realise the magnitude of the problem when I encountered people installing DamnSmallLinux on P4 boxes with 512 MB or 1GB RAM because they seriously thought nothing more complex _could_ work. And why did they think this? They attempted to boot the live-CD image of (say) Ubuntu to run the graphical installer on top of that, it choked on the extreme RAM shortage, and they concluded that installation was impossible. Or the installer completed but then was 'slow' and they couldn't even start to figure out how to decide what to run and not run, because the very concept of doing so was alien. I saw this problem when I asked such people about the process list. Blank expression. 'Process list. You know, the process list. ps and all that.' Complete and total non-comprehension. 'Wait, this is an open-source OS. The very basic idea, the raison d'etre, is to enable _you_ to decide for _yourself_ what to run and not to run. Are you telling me you have never even considered figuring out what is running and deciding for yourself what you want?' Yes, that's overwhelmingly the case. And these people actually _argue_ with me. DamnSmallLinux is The Right Thing because they can boot into the installer and hit the spacebar with their foreheads repeatedly and arrive at a (feeble, limited) Linux installation. Therefore, it's the right choice, say they. Wow. Just wow.