2015-10-02 10:58 GMT+02:00 Georgi Guninski <[1]guninski@guninski.com>: On Thu, Oct 01, 2015 at 03:09:40PM -0700, Shelley wrote: > > Agree with both sentiments, but - who the hell opens documents of > dubious origin on a networked machine? Even on an airgapped > machine, I still use a VM... > Agree about VM, it adds another layer of protection. VMs have bugs too, as history shows. btw, does rowhammer escape VM? (appears to me yes). You know, a webpage is supposed to be in a VM too. With HTML growing so big and so fast it's very hard to know it's secure. But I see little reason as to why Javascript is the baddest boy on the block. iPhones Got wrecked by a png rendering library. Interpreting a programming language is not that different from interpreting an image. Even less different from interpreting HTML/CSS. If you would care for a secure instead of a fast Javascript interpreter, well, too bad because nobody's making a secure one. Hah. Which relates as to why I lost a lot of personal photo's; I didn't use the cloud backup feature. Now nobody has my pictures, except maybe whomever stole my phone* =( Using one of those file hosting sites provides a greater level of convenience. Perhaps so much greater that without that level of convenience it would hardly be possible at all. The consumers don't care to invest in security very much, in fact, hardly at all. Especially when all you're securing against sounds like more paranoia - which is what an invisible-seems-like-its-not-even-there organization will always seem like. (remember, the NSA lacks the field agents to even be anywhere, and I never see GCHQ agents either) * full disk crypto is not a thing in androidland ;( tl;dr: javascript could be fine if we'd have secure software - as it is HTML/CSS/images/videos/etc are all also dangerous. Top level security seems (and often is) useless - therefore we don't really have it (even when we'd like it so very much) unless we keep ourselves from essential features. References 1. mailto:guninski@guninski.com