[erlang-questions] Two beautiful programs - or web programming made easy
Tue Feb 15 08:45:14 CET 2011
It seems to me you can either secure the pipe (ssh) or secure the things in
pipe (ie the content).
I'd prefer to secure the content since I can do this with my own code - rsa
boils down to A^C mod N with Erlang and bignums this is trivial - I trust my
Now suppose I've gotten as far as decrypting and authenticating the
of code, dare I *run* the code - this boils down to trust and is a
Do I trust the NSA not to have put a back-door in ssh? - no. Do I trust my
rsa code - yes.
People happly click on "install this code" "run this code" buttons because
If I still want to run the code anyway, despite the fact I mistrust the
source I can run it
on a sand boxed machine that is not connected to anything.
But again do I trust the USB memroy (or whatever) that I used to transfer
What If somebody installs a keyboard logger in the firmware of my keyboard?
It's all about trust
2011/2/15 Frédéric Trottier-Hébert <>
> On 2011-02-14, at 18:38 PM, Ryan Zezeski wrote:
> > 2011/2/14 Frédéric Trottier-Hébert <>
> > This has *nothing* to do with encryption, and everything to do with not
> understanding the potential threats of the web correctly. It is an
> application-level issue, much like XSS is. And it's pretty damn important.
> > Except when it isn't.
> > You make a very impressive summarization of web security problems, but
> there are many apps where these problems go away because they simply, don't,
> matter. For example, how about building a new interface to the appmon
> application using this with Raphael or Protovis? Do I really need to worry
> about all this crap? I'd argue, no. If I'm using appmon it's behind a
> firewall and I trust the user to be competent. Just like 'rm -f 'in unix.
> Plus, who gives a sh*t (pardon my French) about a hijacked session when
> someone else just cracked your gateway because of default passwords. My
> point being, there are so many doors, and this focuses on one. Getting it
> right is very hard, and thus very costly, and that's why I think the first
> thing to ask is "Does this even need to be secure?" Given enough time,
> anything can be had.
> I won't argue with this. You're right on this. Again I'll repeat myself by
> saying that as a general (and generic) pattern, the eval() in Joe's code
> worries me. Individual cases can be tested and proven safe on an individual
> basis without too much trouble.
> > If nothing else Joe has stumbled upon a way to rapidly produce
> nice-looking and feature rich GUIs in Erlang, and yet it seems everyone has
> somehow missed this point and focused on security and support and whatnot.
> I'm glad there are Joe's in the world, otherwise it would be a pretty
> boring place.
> > Don't let perfect get in the way of good enough. As Joe said, life is
> too [expletive deleted] short.
> > -Ryan
> There is nothing wrong with what Joe is doing. There is nothing wrong with
> general and we shouldn't reinvent the wheel all the time because we might be
> coming from a different domain or we don't have the same experience as real
> web developers have.
> You only have to look into what people are doing with node.js. Just look
> at this example:
> These guys are doing session sharing over the browser (including mouse
> movement and everything).
> You can also look at the nodeknockout as a whole:
> http://nodeknockout.com/teams (some links are now dead). These include
> multiplayer browser games, chat systems, drawing applications, charts, etc.
> Dreamers and innovators are at work on the web already, they're just not
> necessarily doing it with Erlang.
> They are doing that kind of explorative nice-looking innovation we all find
> awesome (even if they likely don't do it 100% safe either).
> I'm sorry if I sounded patronising or just bossy around this discussion,
> it's just that there are fantastic ideas to be inspired from in what is done
> by these programmers all the time. They usually do it cleaner, safer and
> smarter. At least on the client side.
> If people can learn from Erlang when it comes to heavily concurrent and
> fault-tolerant applications, Erlang programmers can certainly learn from
> other domains when the developers working there are more specialised at what
> they do than we could be as a community in here.
> Fred Hébert
More information about the erlang-questions