Journal dpt's Journal: Cowardice of a Web weenie 17
I notice that my favourite Javascript weenie, woogieoogieboogie, has run and hidden himself away, to be consoled by his boyfriend, and presumably, a case of malt liquor.
So, I guess he's *finally* realized it's impossible to "hide the source" from browsers, and is too cowardly too reply.
Perhaps he's read those specs he posted. How embarrassing for him.
So, if you look at his posting history, you'll be able to laugh along as he gets many things wrong:
* HTML and HTTP (the web is for sending information!)
* programming (it's simple, and just about "moving data around")
* TCP/IP (data gets into the browser by voodoo magic! What's a TCP/IP stack?)
* CSS (what's the order of the application of the attributes, again?)
* tcpdump (I'm confused, and can't read. Tell me which options I need!!)
And, I'll leave you with the unforgettable quote:
"WSH is more powerful than any other language"
What a script kiddie. No wonder he's just a low paid web developer at Nowheresville, Florida. Get a real job, why don't you, before they get a H1B person who's ten times as fast and actually understands technology?
What a kook (Score:2)
I lost? ROTFLMFAO. Here...
That should be about all you need to embed an IE control into an active x object which can be called from any web page.
You are not very bright are you? You claim to be a programmer, yet you cannot understand simple things. How truly pathetic you are. A sample compiled version is here http://home.earthlink.net/~woogieoogieboogie/web/P roject1.ocx
Do you get it, a webbrowser embedded in an active x control can be made to completely stop you from retrieving the html source. Anyone with the intelligence of a rock should understand that there are many different ways such an approach can be implemented including encryption, embedding the html in the control, using my own xml schema and doing the tranformation within the control, or even inventing my own markup language which can only be used from within the control. but you keep running on about "winning" a topic which you do not even comprehend.
You seem to be making a concerted effort to locate where I am. It is beginning to look like a bit of net stalking. Be advised that I know your real name and where you live and I have a picture of your really disgusting mugshot. HTH HAND
Re:What a kook (Score:1)
Yes, but with enough effort, all these things can be undone. It's not hidden. It can't be. Study information theory and figure out why.
And besides, as soon as you download an executable, it's not a web page anymore. You're downloading an executable and using that to display information. Unless activex suddenly became a w3c recommendation, thats not really a web site.
It's also important to note that all your other non-activex schemes are broken. All of them. You admit this by not defending them.
You seem to be making a concerted effort to locate where I am. It is beginning to look like a bit of net stalking
You started it.
Re:What a kook (Score:2)
If the final output is HTML, then the mode of transport is irrelevant. You wanted to bring the discussion past simply "viewing the html source." Most intelligent people understand a concept as "hiding html source" as nothing more than eliminating it from being viewed through common casual methods. Only a kook would bring such a concept to a level of "bit by bit" capture of the file. For most reasonably intelligent people, generatign the content dynamically, destroyig the dom and clearing the clipboard when the document is unfocused is pretty much "hiding the html source." It doesn't mean that they do not have the capability to use more advanced methods to retrieve the source under such a circumstance, it means they understand what the goal is and that the goal has been accomplished. Only wannabee hackers try and take it to any level past that. But for soem reason people like you get hysterical when the concept of hiding html source is mentioned and for some odd reason have to try and prove how clever you are. what is really amazing is that you argue without any knowledge of how Internet Explorer works and how active x works. Arguing on a topic which you have no concept of and lack any information and experience with does not make you look very smart. It does make you look poorly educated and extremely ignorant.
The other methods previously discussed are in reality the ultimate ways to hide the html source. Unfortunately you are unable to comprehend the concept that the html cannot be viewed because it does not exist and when forced to be viewed in IE only, even using view source from the context menu does not give you the html source but rather what MSFT belives should be the html source.
Re:What a kook (Score:1)
No, read up on security, and then get back to me. This is a disaster waiting to happen, basically.
In the course of our discussion, an encrypted proprietary document which can only be viewed via a proprietary binary executable is nearly the pinnacle of document security in any information system. Why do you think PDF files are so popular where the integrity of the doument is desired
That is extremely naive.
The problem is, you have to send me that executable. Now, machine code may be difficult to read for some, but not for others, trust me. If you had any secrets worth stealing, the cost of retrieving them would be quite small, and can be done in linear time. And, once broken, *all* the data you transmit this way is available. You can't just change keys.
In theory that assertation is valid, and in accordance with that theory, any and all computing security is based upon the ability to obfuscate the data
Some methods are better than others. All your schemes can be broken in linear time, and if broken once, are broken for all use cases. *Really* secure methods require exponential time relative to the length of the key (for example), and if broken for one key, aren't broken for all other keys. That's the difference between what most people consider "secure" and the obfuscations you have proposed.
But for soem reason people like you get hysterical when the concept of hiding html source is mentioned and for some odd reason have to try and prove how clever you are. what is really amazing is that you argue without any knowledge of how Internet Explorer works and how active x works
It's because someone might actually believe it, and think that their data is secure. If you modified your statements so that it was clear that it's not really to be trusted much, but just making it a bit difficult for the casual reader, people would have no problems with it.
The other methods previously discussed are in reality the ultimate ways to hide the html source
I have explained to you why they are broken many times.
Unfortunately you are unable to comprehend the concept that the html cannot be viewed because it does not exist and when forced to be viewed in IE only, even using view source from the context menu does not give you the html source but rather what MSFT belives should be the html source
Yes, I understand that you are rendering the pages from some other source, and not actually sending any HTML, in which case *obviously* I can't get the HTML source. But I can get whatever "source" (be it XML/XSLT, or some script or program that builds the page) you use, and so anything you were hiding stands revealed. I can get *that*, which is all that matters to any reasonable person assessing your claims of security.
Re:What a kook (Score:1)
No, you can raise the time required to decrypt by brute force methods so that it's theoretically impossible (with current computing power) for any required amount of time, right up to the end of the solar system if you like. That is, so that the time required is exponential relative to the length of the key. The idea is, with things like RSA, that publishing the algorithm takes "skill" out of the equation.
However, all your examples require only a linearly scaled effort. For example, if you send a compiled executable containing code to "build" the HTML, it will take an amount of time *directly* corresponding to the the length of the executable.
To be considered secure, you'd want it to be 2^(length), for example, so that the total time is beyond what anyone can achieve. Skill shouldn't come into it.
Finally, once someone does this for one ActiveX component, chances are that it will be a lot easier the next time, as they'll know the memory layout, be familiar with the function entry points, and so on.
For example, a password protected system requires an unauthorized person to "guess" the password in order to obtain access
I agree, password based access is not very good. I don't have any better alternative, unless everyone has a certificate, but that also has problems (who watches the certificate authorities?).
Encryption follows the same "password" mentality and with a properly "guessed" passphrase, is easily bypassed
That's not really true. Schneier's "Applied Cryptography" provides a good breakdown of the way key lengths affect risk. Basically, with a long key and RSA, I'd feel pretty safe that my message won't be read before the end of the decade, basically, even accounting for worst case computing power improvements (excepting quantum computing or factoring breakthroughs!).
With what I proposed as an example of a way to secure the HTML source, my proposal is MORE secure than the webserver itself because the degree of skill required to decompile and decrypt the file is far greater than that needed to compromise a typical webserver's security
More effort? Sort of. But remember, once they've done it once, it's pretty easy from there on in, if you're using the same executable to build these pages from some data you receive on the wire (in whatever form). At least you can change a server's password!
And yes, you can generate a new component each time, but like I said, different ActiveX components most likely aren't all that different from each other for someone who can read them. After a while, they'll probably write tools to get to the good bits i.e the calls to page constructing functions. So I think the password approach comes out better, overall, as I'm not guaranteed any result by guessing passwords (a sensible policy *won't* allow dictionary words and make it very long and force numbers and so on - worth doing for the firewall, and will limit the number of guesses allowed. skeys are also useful), but I *am* guaranteed a result by reading that code!
But you can't really assume people aren't reading it. If I had something in a web page (some clever Javascript or something) that I didn't want people to "steal", I wouldn't rely on this. I truly don't think there *is* a way, short of DRM hardware in the user's device that is actively working *against* the user.
No it is not naive and PDF files are very popular with government agencies for transmittal of official information for the very fact that PDF files offer some protection against the information being compromised.
Really? What kind of protection? I thought the PDF format had been published?
if you download and fill out a government form and modify the PDF file, you have little legal defense that the PDF may have been compromised in transit. The same cannot be said about word or rtf or text documents
I don't know about that. If the format is available, then I can pretty easily modify the text within without disturbing anything else, once I had written the reader/writer program. It probably already exists. I think digital signitures are the only way to go here. Does PDF have standard support for signing? Of course, it probably wouldn't help, as we would all have to have certificates for it to work properly.
There is no HTML source and no matter what you do, you cannot retrieve it because it does not exist
I assumed at the start we were only talking about the case where HTML is used. If not, substitute HTML with whatever you're using. And yes, you can encapsulate it in a binary, that's toughest of all but don't expect to be able to hide your proprietary Javascript like this.
You bumbling idiot (Score:2)
WSH can use ANY programming language via scripting or active x/com. You fucking retard. WSH is NOT a language, it is a technology that facilitates the use of multiple languages through a simple object oriented interface. Keep arguing about things which you have no clue about, it really does provide for some intense laughter.
Re:You bumbling idiot (Score:2)
That's right. I'm relieved you realize that it's not a language, and that it is merely an integration tool, and therefore not particularly "powerful" at all - it is just leveraging the power of existing languages and tools. I think he's seen the light.
Re:You bumbling idiot (Score:2)
Re:You stupid golliwog (Score:2)
And only a scipt kiddie would say such a patently idiotic thing. So I'm going to keep reminding you of it, until you realise you are a fucktard.
How is it "more powerful", then? What is your definition of "powerful"?
Perhaps you should not argue about things on a platform which you have no knowledge or experience with
Yet you talk about programming, engineering/engineers, software development, TCP/IP, cryptography, and so on, all the time. Things that someone with your limited background has exactly zero clues about.
Re:You turtle ass rapist (Score:2)
I prefer this one
http://dictionary.reference.com/search?q=powerful
"powerful
\Pow"er*ful\, a. 1. Full of power; capable of producing great effects of any kind;."
HTH HAND
How dumb can dpt get? (Score:2)
Please provide a definition which does not factor down to simply "transmitting/transferring information?" Of course you cannot.
* programming (it's simple, and just about "moving data around")
Please provide a definition of programming which does not to simply "moving data around"
* TCP/IP (data gets into the browser by voodoo magic! What's a TCP/IP stack?)
Just because it is possible to read data coming accross an interface does not mean that data is in a usable form. We still have yet to see you demonstrate your incredible skillz and recreate a complete html page form a tcpdump file.
* CSS (what's the order of the application of the attributes, again?)
Please deomstrate a fully CSS2 complaint web browser. No, Moz is not fully CSS2 compliant.
* tcpdump (I'm confused, and can't read. Tell me which options I need!!)
Yes, you do seem to have problems understandign that different versions of a program have different switches.
Just when I thought the bounds of your stupidity were stretched to the limit, you fully demonstrate that your ignorance is without boundaries. You continuously surpass any and all expectations of possible human stupidity.
Re:How dumb can dpt get? (Score:1)
Of course I can. The web is specifically for the location, display and "hyperlinking" of documents. It runs over TCP/IP, and *that* is a content neutral technology.
Just because it is possible to read data coming accross an interface does not mean that data is in a usable form. We still have yet to see you demonstrate your incredible skillz and recreate a complete html page form a tcpdump file
I don't have to, it turns out people have already done it. Game over.
Please deomstrate a fully CSS2 complaint web browser. No, Moz is not fully CSS2 compliant
Straw man. I didn't say anyone was compliant. I merely reminded you of your previous confusion.
Yes, you do seem to have problems understandign that different versions of a program have different switches
You should have done a little research before making such a dick of yourself.
Just when I thought the bounds of your stupidity were stretched to the limit, you fully demonstrate that your ignorance is without boundaries. You continuously surpass any and all expectations of possible human stupidity
I see. So the entire basis of measuring intelligence, educational achievement and the entire capitalist system of rewarding the best and brightest has got it all *wrong*.
And it took an sysadmin from a real estate office in the boondocks to point this out!
Re:How dumb can dpt get? (Score:2)
From RFC 2616
" HTTP communication usually takes place over TCP/IP connections. The default port is TCP 80 [19], but other ports can be used. This does not preclude HTTP from being implemented on top of any other protocol on the Internet, or on other networks. HTTP only presumes a reliable transport; any protocol that provides such guarantees can be used; the mapping of the HTTP/1.1 request and response structures onto the transport data units of the protocol in question is outside the scope of this specification."
Nowhere does it say that HTTP requires TCP/IP. In fact, it clearly states that any protocol that provides a reliable transport can be used.
from http://www.w3.org/TR/1999/REC-html401-19991224/int ro/intro.html#h-2.1
"To publish information for global distribution, one needs a universally understood language, a kind of publishing mother tongue that all computers may potentially understand"
The fact that you are arguing this pints to your complete ignorance of the topic.
Straw man. I didn't say anyone was compliant. I merely reminded you of your previous confusion.
I specifically mentioned the CSS1 spec, You brought in the CSS2 spec which is not fully implemented in any webbrowser and unlike youy, I do not refer to a spec where there is limited or completely broken support for it.
You should have done a little research before making such a dick of yourself.
I seem to recall that the switches I posted are shared accross all versions of TCpDump, the switches you "corrected" me on are not. funny how you fail to see such a simple error on your behalf.
I see. So the entire basis of measuring intelligence, educational achievement and the entire capitalist system of rewarding the best and brightest has got it all *wrong*.
Need I say anythimg more than the name G.W Bush?
And it took an sysadmin from a real estate office in the boondocks to point this out!
Obviously you have never seen S. Florida and you know nothing about the region.
Re:How gay can Pratt get? (Score:2)
Rolls eyes
Would it help, if I, like the spec, put "commonly" in there? Besided, before we started this, your misunderstandings about the Internet and TCP/IP could fill a book.
I specifically mentioned the CSS1 spec, You brought in the CSS2 spec which is not fully implemented in any webbrowser and unlike youy, I do not refer to a spec where there is limited or completely broken support for it
Just thought of this now, did you? Months later
And why can't you refer to a spec just because it's not well supported? That seems kind of dumb. I think you didn't even know there was a CSS2 spec, as it wasn't covered in your "CSS for Dummies" book.
I seem to recall that the switches I posted are shared accross all versions of TCpDump, the switches you "corrected" me on are not. funny how you fail to see such a simple error on your behalf
No error. I knew how to use tcpdump, and the features available on all versions. You did not. And you kept this non-sense up for days on end, because you wouldn't admit you were wrong about "hiding" source code.
Need I say anythimg more than the name G.W Bush?
I don't recall Bush having a high IQ, or doing well at school. By and large, though, people end up where they deserve. Hence, you are *not* CEO of a Fortune 500 company. Have you even had a job at all with a Fortune 500 company? No? There's a reason for that.
Obviously you have never seen S. Florida and you know nothing about the region
Except that it's a mecca for shitheads and losers, like yourself. Now, tell me why Polookaville, Florida, is famous? The best and brightest of the country are moving there to work out the back in real estate offices because [...].
Re:dpt takes it in the ass (Score:2)
Here is a quarter little boy, go get a clue. Your comment makes absolutely no sense. Are you trying to imply that the WWW REQUIRES certain content?
And why can't you refer to a spec just because it's not well supported?
No browser in existence is in compliance with CSS2 and AFAIK, only recent builds of MOZ even implement the !important rule as defined in in the CSS2 spec. You are talking about an implementation which is the exception and not in common use.
I don't recall Bush having a high IQ, or doing well at school. By and large, though, people end up where they deserve. Hence, you are *not* CEO of a Fortune 500 company. Have you even had a job at all with a Fortune 500 company? No? There's a reason for that.
http://members.shaw.ca/delajara/GREIQ.html Now be an intelligent person and go find the minimum GRE requirements for the MBA program at Harvard. Nobody is getting into any Ivy League school unless they have at least a 1200 GRE score which pretty much translates into an IQ in the top 5%. On paper GW is supposed to be an extremely intelligent person.
FYI, I grew up in a family on welfare and have been on my own since I was 15. I put myself through college and the discussion you so arrogantly are referring to was a discussion about barriers in society for all people. Poverty is a disability and one of the greatest social barriers to overcome. Education is the great equalizer, but unfortunately in the USA an advanced college degree is economically unattainable unless one has substantial financial support. Furthermore, the typical path to the executive ranks of a Fortune 500 company (a Fortune 500 is one of the top 500 companies annually ranked by Fortune magazine, such a shame you do not even know simple concepts such as that) is paved with an Ivy league undergraduate and graduate school education. Entry into an Ivy league school is not only dependant upon intelligence, but upon a certain social upbringing which encourages certain activities and behaviors that those schools find desirable. Impoverished neighborhoods do not promote these social aspects because the concept of attending an Ivy league school is economically unfeasible. My comment in that discussion was a point that the existing barriers prevented me from taking what is considered the "fast track" to the executive ranks of a fortune 500 company. If money and power were my goals, I would reactivate my NASD Series 7 license and return to my career as a Wall Street Stockbroker. Perhaps you will be encourage to stop making an ass of yourself by quoting statements taken out of centext from unrelated discussions.
No, people do not end up where they deserve. Values, upbringing, lineage and luck have as much to do with success as hard work, determination and perseverence. Micheal Dell is a billionaire because of luck. Nothing Dell does is either innovative or skilled. Same with Gates and MSFT. This is not to say they wouldn't have been successful, but their level of success has infinately increased due to chance. GW is not president of the US because he is the best and most qualified man for the job, he is the president because his family has political clout and lots of money.
No, I have never worked for a fortune 500 company. With the exception of the past three years, I have worked for myself as an independant stockbroker and running my own company since I graduated college. So yes, there is a reason for it. Why the fsck would I work somewhere and make less money and have less freedom.
Except that it's a mecca for shitheads and losers, like yourself. Now, tell me why Polookaville, Florida, is famous? The best and brightest of the country are moving there to work out the back in real estate offices because [...].
Given the number of $100,000 plus cars and abundance of $1,000,000 condos and $10,000,000 dollar homes, there must be some damn wealthy shitheads around here.
I will give you the number 1 reason why the area is famous worldwide and changed the course of history as well as spawned the entire industry which both you and I work in. It was called "Project Chess" and the codename for the device was "Acorn." In 1982, Time Magazine named that device the "Man of the Year." The place was Boca Raton, the company was IBM and the device was the PC. And on that note, I will point out that you are a complete and total idiot.
Re: PC's are lame ;) (Score:1)
Of course. Valid HTTP messages!
I will give you the number 1 reason why the area is famous worldwide and changed the course of history as well as spawned the entire industry which both you and I work in
That's ridiculous. Spawned the industry? Whether IBM invented the PC or not, I'd still be a software engineer.
Changing history? If PC's were never invented by IBM, there would just be some other cheap computing device for the masses - we would have Amigas or Atari STs or Apples or something else. I don't see this as being a particularly great breakthrough. TCP/IP and the internet however, you could probably make that claim for.
It was called "Project Chess" and the codename for the device was "Acorn." In 1982, Time Magazine named that device the "Man of the Year."
According to Time, 1982's man of the year was "The Computer", actually. The original design of the PC isn't all that great, anyhow. And it wasn't until the 386 that it became really credible as a "real" computer, which had a pretty good architecture given the historical constraints.
The place was Boca Raton, the company was IBM and the device was the PC. And on that note, I will point out that you are a complete and total idiot
You didn't answer my question. So what if twenty years ago something happened. What about now? It might well be a nice place to live, but a lightning rod of technology, culture, and innovation, it isn't. You don't exactly hear it being referred to a a tech hotspot, do you? Nice beaches, no doubt.