@ekaitz_zarraga

Exactly.

Yet I insist that #hackers (aka #pirates) want #Knowledge not #Power.

Power is a sword without a handle: whatever you do, you can't use it the right way.

Knowledge instead is like a clean and well ordered kitchen: you can just boil an egg or cook for a romantic dinner.

Hi @aspittel!

I agree with most of what you say here and I really liked the section about Inclusiveness.

But the #World outside the #US is huge, varied and wonderful!

That's why, as a #European #hacker, I felt obliged to share a different perspective.

https://dev.to/shamar/comment/9pap

@deejoe
@Shamar

@calvin @natecull @popefucker @mala @Shamar @rain

In any case, I wasn't just trying to engage.

I was trying to inform people!

It was before the Russian Government started to use those attacks and #Mozilla #Security's developers (that in the bug report suggested to continue the conversation on #Lobsters) hadn't yet answered this simple question: "are #Firefox users vulnerable to this wide class of undetectable attacks?"

They are leaving their users vulnerable without informing them!

@alcinnz @natecull @fabricedesre @popefucker @mala @Shamar @rain

I'm sorry, but given the severity of the issue, I think this architectural issue should have been mitigated 7 months ago.

And to be honest, I can't really imagine how #Firefox developers can sleep since they know that Putin is using their browser to identify suspect people.

We are talking about #WHATWG #LivingStandards: the fastest way to have a fix introduced in these standards is to introduce it in one of the implementations.

@natecull @popefucker @mala @Shamar

You can see the code without running it in the @rain's article.

But note, these are just two of the possible attacks.

If your browser authenticate automatically to a service on your LAN (imagine through windows authentication), with a #DNS rebinding attack a malicious #JavaScript might access to such service.

It's true you can't frame an arbitrary #TCP packet in the browser, but how many services run over HTTP today?

@nornagon @natecull @mala @Shamar

Sure automatically executing #JS on #Web page was a dumb idea from the very beginning.

But #WASM is worse because it's a binary format.

If you have ever had to debug a #GCC optimized binary without source code or debug symbols, you know that reading an obfuscated #JavaScript is a kids play compared to this.

So even if JS was the first offender, #WebAssembly is going to be the worse one for the Web users' #security: it will be way harder to detect an attack.

@Wolf480pl

Indeed #WHATWG #LivingStandards exists to minimise competition.

The fun thing is that everyone cry for server side #centralization and nobody see that on the client side the situation is even worse!

@ekaitz_zarraga @grainloom @alcinnz