###a Bug Report Turned Op-ed Piece on Browser Security Over-Hypeed Lunacy
Ever have one of those days where the most basic things don't work? I've been having one all night. And I'm so sick of browser security turning things off.
I have just gone from machine to machine testing code, where containers or ide's were not appropriate and in my estimation time prohibitive solutions, far more effort than the minor task would justify. The task in this case, was simply a color change of a background. Now, I need a new browser because even the scratchpad which I considered a last resort on account of the extra keystrokes involved and a whole window opening also did not work, its now telling me it's not safe for me to test a background color of light blue. Not safe? Are you f***ing kidding me? Meanwhile Gmail is telling me that the browser (Firefox) is a deprecated version and will not be supported because the thing that won't let me hurt myself with the color blue, is clearly reckless and negligent and far too permissive for my safety.
I'm not new to 'hacking around' these types of issues. I'm a tinkerer by nature and so I've gone to great lengths of making private proxy servers to restore mime types and security settings as I see fit, and even host some solutions as browser extensions in the chrome store like the XFrame Assassin. I also average at least two bash functions and 4 javascript command line functions daily. Thats just a start and added up its thousands of hours in not that long of a timeline, not really a big deal. Kinda cool. But what isn't cool is that more than half of this is devoted to undoing protections, so that the first 50% will work. That's why its not cool.
I opted to look for answers on my immediate issue and hit bugzilla (Mozilla's bug reporting, obviously). I was surprised at the low number of requests for fixes, and of those 80% of comments were in favor of more restrictions. Meanwhile Chrome should be going through stats on its development channel flag "annoying security features" gleefully counting the number of masochists who joined up.
I'm a strong proponent of eliminating the rapidly accelerated totally absurd and vain push towards protecting people from themselves online. It's insulting, presumptious, inconvenient, even expensive at times far beyond what you might expect, and ultimately the greater goals as perceived by those implementing these inconvenient seatbelts will fail.
It's not the browsers responsibility to prevent users from being stupid or even facebooks, its the users. This isn't any longer an internet of web developers, server guys, and idiot customers. Gone I think are the days of, if you don't want to work all weekend you better hide all their admin panels from them. Code is beautiful I thought? Actually I did until it was a goddamn cliche. Now we are telling all users they are 'hackers' because they did... what exactly? Or they are a super special new 'micro-economy'. Maybe you shouldn't tell them all to be a startup, a DIY business, or that as a video blogger they can make a zillion an hour which according to the FTC and people they put in prison is actually quite illegal to suggest. Especially if to succeed they need to open an account an pay you a lot of money. Ask Don LaPre. Shoveling some multi-national conglomerate's junk $2 cpm pop traffic, which 5 years ago was all but illegal.
Saying we cannot execute code in any form in the address bar is stupid, if you are building a browser and want me to use it. It's a bit like giving somebody a car and telling them be sure not to drive. WTF?!
Moreover, it's not your place to protect me. Walking down the street can quickly turn into walking off a cliff, you shouldnt solve that problem either we must learn not to do this. A legitimate Gene Roddenberry Utopia may well be around the corner, but if it is built like this I absolutely promise you the death by papercut inconveniences today will by the nature of the reasoning behind them, resemble something closer to 1984 before long, at which point you will have lost your grip entirely, or perhaps tightened it around us all.
Just as concern over work at home scams not clever enough to call their prospective clients 'digital nomads' nor smooth enough to get the president of the United States to place open sourcing cable boxes above terrorism, got the natural conclusion of a successful "protection" campaign, they got the FTC, the FTB, the CPB, and its not unheard of to use the Secret Service, the IRS, the SEC, and the FBI just to name a few. And those few can cite that protection as justification for their further existence while submitting their annual request for budget and scope of powers increase application. Why? Because it is their nature.
The point is misplaced concern and self righteous advocates today are the institutions and oppressive administrations of tomorrow. Call it big brother if you like, and do note that it has a private industry equivalent and whose net effect is the same. Genuine concern is respectable, perhaps even noble is a fitting description but lets not get carried away. If you are so concerned, mail users a pamphlet if you must, and pat yourself on the back but don't change my life for the weakest link I earned being a power user as a child, there are no excuses.
We are not going to be able to prevent people from acting on being told to give their money away over the phone, wasting that which is infinitely more valuable: 'time' on following kim and kanye or that jenner girl/guy (yup dont know or care), you cant stop them from stabbing themselves with a knife, or hitting 'ctrl+alt+delete','format c:', 'ctrl-alt-t +sudo rm -rf /', or buying something they don't need, or marrying an abusive person, or having sex with someone or something contracting a terminal disease, or typing an email to their boss that gets them fired because some blog suggested that course of action.
And so it's a failure one way or the other its only a degree of losing and quantifying the cost, then seeing if after paying it you have enough left to fix what you've done or if it matters in the event it's too late. Your first clues it's nearing too late, 1) the 5th letter from a small business who is now out of busienss and pissed off because yo've overcomplicated things for him and that has translated into hiring people he cannot afford or closing shop 2) A new federal agency is proposed to oversee complicance with new government mandated safety protocols for the proletariat's protection. You see how you fail no matter what? How it's all at best, destined to be in vain?
Personally I'm a little offended watching those in positions of power simultaneously eliminating competition and consolidating market share under the guise of protecting the user or while the otherwise watchful eye of someone is distracted by these ridiculous overhyped concerns. The mission statement propoganda that clears the path for a wave of ever increasing protections has been very effective at as I see it outright conning many easily influenced doe eyed developers into implementing and carrying this flag for some greater good nonsense. There's all types in the developer field and some of them I know roll their eyes, they see too see the whole thing as a vain, superflous, circle jerk. But tell me honestly there is not a certain under the surface, lingering, intimidation they will be ostracized as luddites if they dont promote what essentially is the 'party line' of move the web forward. It's b.s. on so many levels.
Freedom means having enough rope to hang yourself. I'm pretty sick of this agenda inextricably tied to some progressive utopian fantasy with the word beautiful every other sentence or hackathon. There are those of us who were willing to call ourselves that not long ago, when it could mean a secret service wiretap, and you know what? We don't give a shit about cross site scripting vulnerability. We also know not to fuck a whore without a condom, and don't need the lectures. We do not wish to have our hands and keyboards tied because you have to make it warm and fuzzy for the newest newbie.
My vote is to handle the entire situation with a checkbox acknowledgement. The same as far back as I can remember in Firefox, most things of value begin with about:config which for admittance includes an adequate and appropriate caution largely unchanged despite a growing 'crowd-coding' base of users and developers building and discussing, evaluating, and providing feedback. This is indicative of something that by popular decree, works. As applied to this situation we simply display a similar warning like this
"warning: if you don't know precisely what you are doing, cool. But remember with great experimenting, comes a great responsibility because what is a test if not measuring a consequence. Make sure you are prepared for whatever that may be and familiarize yourself with the likely range of outcomes. Like 'whats the worst that can happen, and am I OK with this or not?'. Now because you are allowed to vote for world leaders, and buy military grade weaponry for recreational use, and drink, buy porn, and drive sometimes in that order, we here at [Mozilla/Google/Apple/Microsoft] elect to not demean and patronize you and instead hereby permit you to enter code into a box on your browser. btw one mistake could be fatal. check the box if you agreee, and smiley face"
"User! Listen closely and say nothing time is of the essence. Something critical has happened and well, no time for explanations, just as quickly as you can punch yourself in the face, really f*n hard! If you can still read this, continue to pummel yourself until you fall out of your chair"
Any time you are unsure of an action that it may be a 'man in the middle' vulnerabliity or a cookie that lasts 357 days or skips across domains, or he attempted about:config entry, or to change the color of the background panel directly in the address bar, or maybe he forgot to opt-in for his rectal inspection MFA/2FA just issue this prompt box. See, if he does it, he was too stupid to look out for himself. But he'll knock himself out in that case, so problem solved! If he doesn't maybe he's also smart enough to not delete his hard drive because ming lee on facebook promised him a bank wire if he does.
I rather like this last approach for just about everything. But then again, maybe even that poor schlub deserves to make the decision for himself, stupid though he may be.