Show newer

(correction: s/tables/images/ -- tables were not reified in the early DOM but their image/form/link/anchor contents were. fun bug where ebina's 2^n table layout nesting depth n created n instances from one markup element, which combined with radio-button-inspired auto-arraying of multiple same-name= attribute value element objects. last one pushed was the real one!)

Show thread

At this point, I think Mozilla was doomed - just on first principles and induction.

Anyway, it's interesting that the billionaires of the new aeon are dedicated to physically realistic space travel. I admire that. More recently I heard Larry is into Tri-Alpha Energy (proton-boron fusion) which may yet prove viable. Let's hope so!

Meanwhile, JS lumbers along its evolutionary path, advantaged by being "on first" in 1995 and for two years while I worked to standardize it. Here's to 22 years more!

Show thread

Larry said regarding Project Orion (nuclear bomb impulse-fueled rockets: very big shock absorber with springs and steampunk tech to absorb the shock) "We should do that!".

I cannot disagree, although I demur from atmospheric launch, even if only over northen China.)

It was clear that (a) Sergey and Larry wanted to do something big; (b) they wanted to do a browserl hence my suggestion they do their own on WebKit, as Larry favored to me at the time.

At this point the Google Chrome die was cast.

Show thread

Hyatt never left Apple, so his name is redacted in Techtopus case materials.

At that last (for me) meeting in 2005, Larry Page said both he and Sergey had both just been to Esther Dyson's "Space Camp" where her uncle Freeman Dyson had given a talk on Project Orion. If you don't know what this is, read Niven & Pournelle's "Footfall". Freeman talked about the chemical explosive-fueled prototype, and the future.

In front of me, Larry Page said "Everythhing today is lame!" and pounded the table. +

Show thread

And we were right! Firefox.

Ok, after we did Firefox and partnered with Google on search, we knew Sergey (& Larry) would do their own browser. My last meeting with both Gogole founders was in 2005. Sergey was late because Steve Jobs had called him to scream about "don't you fucking poach David Hyatt!"

This was the "Tech-topus" case, where Google, Adobe, Intel, and Apple were said to have agreed (in restraint of trade) to avoid recruiting one another's talent, with higher pay per poach. Oops. +

Show thread

I knew at that time, per my cube-mate Jeff Weinstein's query to me, that JS would either die fast or live for 20 years and go big. I wanted to help jwz, Lloyd Tabb, paquin, mtoy, and others to get mozilla.org off the ground. Even then, as MS was killing Netscape by taking the price of a browser to $0 and filling in the server side, those of us on side with mozilla.org could foresee a time when server side code was also 0-cost. We reckoned that client code built at cost of ~$1B would be valuable.

Show thread

Much of 1997, I focused on standardizing JS as "ES1", ECMA-262 (see ecma-international.org/). In June I drove in a rented "Turbo Diesel Minibus" from Paris to Nice with my marketing counterpart, Ang Ng, and her boyfriend Jason. Good times, not quite "Ronin" (the film) but close enough -- we even went to Eze, the perched village, above Nice and Cap Ferrat.

(I did not RPG an opposing car, as De Niro did in "Ronin".)

After standardizing JS, I joined the incipient mozilla.org team in late 1997. +

Show thread

San Jose in 1997, and we enjoyed Scott Isaacs of MS showing us VML (vector graphics markup in IE) and other stunts which we had both discussed at Netsacpe,without having the means to implement -- for want of Netscape blowing its IPO mad money on mediocre "enterprise" startups such as Collabra -- and Scott Furman and I both said to each other "we're fucked!"

From there on, it was downhill all the way. First floor Netscape people, fried to a crisp by the 1.0 and 1.1 releases, left or checked out.

Show thread

When jwz and Terry Weissman were still working on Netscape 2.1, they implemented S/MIME with Lisa Repka (my friend from MicroUnity). At the same time, pmarca et al. miscalculated on the Collabra startup they bought and gave keys to the Netscape client kingdom. This led to Netscape 2.1 becoming 3, and Netscape 3 becoming 4 -- and at first running only on Windows -- and not well, against IE4.

Scott Furman (friend from MicroUnity & Netscape) and I went to MS's IE4 open house at Gordon Biersch in +

It bothers me that if I had been as restrictive as, e.g., CORS, the Web as we know it would not have evolved. One must be liberal at the start, conservative over time, until an evolutionary kernel has formed and can support rampant speciation above and below, per Constantine Dovrolis's work.'

Anyway, I chose to favor permissiveness in JS, from 1995 onward, especially in 1996 Netscape 3. This was the release, as jwz has attested, that was originally meant to be NS2.1, while NS3 ended up NS4 lol.

The "same-origin policy" was born. My aim was to restrict access via reference (JS strong ref in GC heap, equivalent to Object Capability Security "capability") to same-origin objects, plus a few exceptions such as another frame or window whose location object one could navigate. I wanted to enable origins to implement JS apps whose subframes could load content from distinct origins, but still control the navigation from the top level. This worked to a greater extent than I expected; also, XSS!

Show thread

So the "DOM level 0" was very flat: document.{links,forms,anchors,tables} and indexing deeper from there. The ability to script form submit gestures was great. The Image constructor came later, in Netscape 3 -- along with <script src=> -- but even in NS2 people could build "Single Page Applications" (SPAs) via frames/framesets/onclick=javascript: URLs. It was awesome. Also crashy and insecure as hell.

I reckoned based on Butler Lampson papers that I needed a pricipal identifer: scheme:host:port

Show thread

My demo was a "JS console" via a javascript:-URL-addressed post-method build-in form request handler. The first JS console. After showin basic math and the recursive Fibonacci function, I had a crash, which I back-traced in gdb and joked "everyone's to blame!" as my code, Lou Montulli's netlib, Eric Bina's layout engine, and jwz's X front end were all on-stack, lol.

I had designs on ebina's layout code, but it parsed very quickly (modems!) into a flat display-list-like structure - no hierarchy.

Show thread

(where I worked with the McCool twins and Ari Luotonen) I transitioned to the client team under Tom Paquin and dove into JS. On May 5, 1995, I started by implementing a JS scanner/parser in a day or so, then a bytecode interpreter (as the Livewire server product wanted to avoid recompiling from src on every request). I also wrote a decompiler (this bit back; my friend Lars Thomas Hansen formerly of Opera had similar experience). I was aiming for demo day, Monday, May 15, 1995, & hit the target.

Show thread

JS is 22 years old today.

I joined Netscape on 4 April 1995, lured by jg&mtoy to "do scheme in the browser". Upon joining I found (1) headcount wars in pre-IPO NSCP left the client group unable to hire me as planned, so I joined the server team; (2) Sun was doing the Java deal with Netscape. Sun viewed Netscape as the vector for its Java virus, didn't care about integration with HTML -- but Bill Joy "got it" and along with Marc Anddressen supported me doing "Mocha". After a month on server side

Hey #infosec - Tavis has just claimed, quote, "the worst Windows remote code exec in recent memory."

If it's as bad as advertised...well, time to make sure the hatches are battened down.

This is a great article on alienation, consent and the peculiar institution of employment: thestraddler.com/201715/piece2 (h/t @mattcroop@social.coop)

@taoeffect The red pill is basically a 0-day security exploit, like a buffer overflow caused by a malicious JPG (or, in a gaming context, a map break-out exploit), that allows your program/consciousness to quite literally break out of its sandbox. It's not something the machines intentionally included, it's just a hack made possible by an incredibly complex interconnected system.

....OK, let's be real blunt here.

Blocking individual ports on a firewall is foolish.

Instead, block everything and carefully audit what you -need- to allow through, in -both- directions.

Lock it down so only those specific systems that -need- a port are allowed that access.

For instance, your workstations? They do -not- need DNS out. They should request DNS from your local resolver, and THAT box gets DNS outbound.

Show older
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!