0risk
Member of DD Central
Posts: 217 
Likes: 202
|
Post by 0risk on Jan 4, 2017 11:37:06 GMT
Thanks for the effort, but accessing a large part of my life savings through something called TamperMonkey? I think I'll pass... [@mods, do you have a policy on these things? I'd get one, pronto...] On the other hand it is a "0risk" script. I respect your opinion and I think it is reasonable. It is a personal choice.
|
|
james
Posts: 2,205
Likes: 955
|
Post by james on Jan 5, 2017 9:47:00 GMT
Mods please consider removing p2pindependentforum.com/user/647 post above as he has not complied with the permission to quote as per the first page of the first sentence of the introduction in the referred to link. Even if it is very interesting. The permission to quote doesn't cover the actual paper, which SANS is not the copyright holder of. As their cover page, which they do have copyright over, observes, the copyright belongs to the author, who submitted it as part of the requirements for an educational qualification. Since the SANS text is boilerplate that claim is also dubious since it is common for institutions to be the copyright holders of papers by their students. Notice the library claim on the cover page? Section 107 of the US Copyright Act 1976 introduced a right for libraries to make copies for their use. Which is presumably the basis for SANS including that boilerplate to assert why they have a right to distribute generically. I can put my own covers around a public domain book and assert copyright on the combination but that gives me no right to control other republishers of the book, just my combined version and any distinguishing layout. In this case the internal paper is academic and quoting from academic papers for discussion is both the norm and the purpose, which is promulgation of knowledge. You've been duped by a misleading copyright claim in the SANS boilerplate.
|
|
GeorgeT
Member of DD Central
Posts: 1,322
Likes: 1,576
|
Post by GeorgeT on Jan 5, 2017 12:25:55 GMT
Shocked that scripts like this are allowed to be promoted. it is scripts like this that are exactly why places like saving stream are not going to get FCA authorisation because they are definitely it has to the equitable.
greed is not a nice thing and we see it here in its worst form where people are going to the trouble of writing highly complicated toads to give themselves the Edge and get more than other people well let me remind them of this that when their actions result in the saving stream not getting authorised and it's becoming discredited because it is owned and controlled by a bunch of people using codes then it will fall apart and it is the people with the codes who will end up losing the most money because the normal saver has left and giving up long ago because of them
|
|
twoheads
Member of DD Central
Programming
Posts: 1,089
Likes: 1,192
|
Post by twoheads on Jan 5, 2017 15:09:17 GMT
Shocked that scripts like this are allowed to be promoted. it is scripts like this that are exactly why places like saving stream are not going to get FCA authorisation because they are definitely it has to the equitable. greed is not a nice thing and we see it here in its worst form where people are going to the trouble of writing highly complicated toads to give themselves the Edge and get more than other people well let me remind them of this that when their actions result in the saving stream not getting authorised and it's becoming discredited because it is owned and controlled by a bunch of people using codes then it will fall apart and it is the people with the codes who will end up losing the most money because the normal saver has left and giving up long ago because of them How is a publicly available script, which anyone may use, not equitable?
If you want equitable, then should we ban users with gigabit connection speeds because they have an advantage over those with only a megabit or two? Should we ban users who work all day on their computers because they have some kind of an advantage over those who do not? Should every user be forced to use a standard computer, operating system and browser combination to keep things fair in some sense?
The best way to gain a real advantage is to do your due diligence checks and the easiest way to make a start in that is by using the posts of cooling_dude in which a host of information from multiple users is collated. Perhaps the DD posts should be banned as they give one the edge over those who invest blindly, tempted by 12% and SS's current record?
The vast majority of investment is via prefunding new loans and not through buying on the secondary market. The secondary market is primarily a vehicle to get your cash out if necessary and it is geared to sellers not buyers, a fact that has been pointed out by many on this forum. It is the highly volatile SM which gives many investors (rightly or wrongly) the confidence to use P2P and SS in particular. If you are a new investor, then trying to build your portfolio on the SM will lead to frustration. I and many before me have found this.
The script in question simply highlights loans in which you are interested without you having to be locked in a cycle of refreshing and observing. If you are at your computer, working on something else, then it will alert you and you can decide whether to buy and then fill in the nearly inevitable recaptcha: a distraction of a few seconds.
Also remember that this script and others cannot actually make the purchase for you because solving the recaptchas requires human intervention.
|
|
twoheads
Member of DD Central
Programming
Posts: 1,089
Likes: 1,192
|
Post by twoheads on Jan 5, 2017 17:34:42 GMT
I have thoroughly read the papers pointed out by solicitorious .
I have analysed the scripts from 0risk as far as I can (although my programming expertise is certainly not in JavaScript).
The papers (in particular the securitee paper) point out that: - The vast majority of script based hacks are made by designing a deliberately malicious script which you attempt to get an unsuspecting user to install.
- The rest of the script based hacks exploit technical weaknesses in otherwise non-malicious scripts which may be in use.
Even to a novice programmer, it is clear that the scripts do nothing malicious, untoward or dodgy in any way.
So, do these scripts have any of the weaknesses described?
There are basically two weaknesses which are described in the securitee paper: - Overly-generic scripts: I.e. they can run on sites for which they were not designed. Thus a malicious site can be designed to activate the script and it may be possible to subvert it.
- A rather technical weakness but, as far as I can tell, it can only be exploited if the script can be made to run on a malicious site (see 1, above) or if the SavingStream site itself is hacked so that it uploads malicious code to its users.
On point (1): the scripts are completely specific to the SS site. They follow the recommendations of the paper and will not run on any other site.
On point (2) I am on less sure footing but, since the script will only run on the proper SavingStream website then there is no issue providing that the SS site is itself secure.
Also, overly-privileged scripts are mentioned: I.e. they are granted more privileges than they strictly require for their function. [Although this is not actually an attack weakness, it is more good practice.] Simple scripts do not usually need much in the way of privileges. If such a script can be subverted then it's lack of privileges will often provide enough protection. The general rule is to grant only the minimal privileges required to function. These scripts are simple and, as such, have an absolutely minimal set of privileges which is precisely as it should be.
It is my opinion that these scripts are completely safe.
On the point of the SS site being hacked: If this is the case then malicious stuff can be uploaded to our browsers from the site irrespective of whether we use these scripts. However: using these scripts does potentially increase the possible damage which an SS hack could cause.
|
|
0risk
Member of DD Central
Posts: 217
Likes: 202
|
Post by 0risk on Jan 5, 2017 18:10:46 GMT
twoheads , I really appreciate you taking the time to read the paper, interpret the scripts and write your opinion.
|
|
bababill
Member of DD Central
Posts: 529
Likes: 245
|
Post by bababill on Jan 5, 2017 22:06:43 GMT
Mods please consider removing p2pindependentforum.com/user/647 post above as he has not complied with the permission to quote as per the first page of the first sentence of the introduction in the referred to link. Even if it is very interesting. The permission to quote doesn't cover the actual paper, which SANS is not the copyright holder of. As their cover page, which they do have copyright over, observes, the copyright belongs to the author, who submitted it as part of the requirements for an educational qualification. Since the SANS text is boilerplate that claim is also dubious since it is common for institutions to be the copyright holders of papers by their students. Notice the library claim on the cover page? Section 107 of the US Copyright Act 1976 introduced a right for libraries to make copies for their use. Which is presumably the basis for SANS including that boilerplate to assert why they have a right to distribute generically. I can put my own covers around a public domain book and assert copyright on the combination but that gives me no right to control other republishers of the book, just my combined version and any distinguishing layout. In this case the internal paper is academic and quoting from academic papers for discussion is both the norm and the purpose, which is promulgation of knowledge. You've been duped by a misleading copyright claim in the SANS boilerplate. Thanks for the comprehensive reply. However, I was referring to this link www.securitee.org/files/monkey_asiaccs2014.pdf, not the SANS link. Perhaps the same applies? Really, I was just trying to be facetious in regards to a) solicitorious advising Mods what to do b)how it seems any link i.e. to any newspaper or article needs to be moderated first/redacted etc.
|
|
james
Posts: 2,205
Likes: 955
|
Post by james on Jan 6, 2017 4:00:53 GMT
Same general issue, it's a research paper and reasonable levels of quoting from research papers is expected and desired because dissemination of knowledge is the purpose of such works.
The particular presentation, notably including the ACM - a well known computing professional association - notice as a whole might be protected depending on the status of the underlying work, which was funded by various sources that might restrict copyright options for work product of things they finance, depending on the exact relationships involved. This one appears to be either from a poster presentation at a conference or hard copy of the text of a presentation given there. Submission requirements might include assigning copyright, to the extent that those submitting it own the copyright, but that won't ever prevent sensible quoting levels for this type of work after first publication has happened.
|
|
vmail
Open image in a new tab.
Posts: 457
Likes: 217
|
Post by vmail on Jan 6, 2017 20:09:36 GMT
Nice, almost like the .Net program that I wrote. I will test this script further
|
|
aju
Member of DD Central
Posts: 3,500
Likes: 924
|
Post by aju on Jan 10, 2017 10:17:42 GMT
I fully understand the negatives and the positives of the arguments here, but as someone who has taken browser extensions and their use as a given it is very useful that someone took the trouble to question all this and better still offer up the arguments using really enlightening articles. Thanks to the people on both sides of the argument.
In particular I was unaware of how useful these scripts could be and worse how dangerous as well. I have been using Stylish for sometime to combat layout changes that Zopa in particular forced upon me and many other annoyed people. To a degree messing with Stylish opened up my ability to then move on to make all my useful sites, including banking ones, where it seems the Mobile/Tab proliferation has forced most web design to use these as the default (Some sites are abysmal on my PC). To me this made the use of a real workhorse - the PC and its screens etc - rendered into what I feel is a complete mess. I have managed to get the screens of banks and other organisations to do what I want with very little simplistic tweaks to relevant parameters but it is very annoying also the way sites are changing so often its hard to keep up but that's another story I guess.
That said having read the linked articles I am now torn between wanting to remain safe and wanting to make my life easier or on some cases just possible. I will of course come to some resolution that fits my needs and worries but I would like to say that the info so far has been very useful.
Thanks for the interesting reads and arguments so far. Hopefully the mods will not listen to some of the pull down requests but I do understand the buyer beware sentiments of others.
|
|
registerme
Member of DD Central
Posts: 6,624
Likes: 6,437
|
Post by registerme on Jan 10, 2017 10:24:26 GMT
aju there's a more general discussion here that might be of interest.
|
|
locutus
Member of DD Central
Posts: 1,059
Likes: 1,622
|
Post by locutus on Jan 10, 2017 10:32:33 GMT
I'm curious about whether those complaining about this script use an ad blocker or make use of their browser's pop up blocker. After all, they are all using client side manipulation to change how a page is rendered...
|
|
aju
Member of DD Central
Posts: 3,500
Likes: 924
|
Post by aju on Jan 10, 2017 10:56:05 GMT
i'm using all of the above and then some, until the site is aware and blocking the blockers !!! or I am comfortable with the sites. I use ghostery on and off as my mood takes me in similar ways.
However, I am obviously more aware now as a result of some of the links in this thread, I will read more carefully.
BTW removing extensions etc does speed up chrome in my experience.
Ones I couldn't do without are "The great suspender", "xMarks" and last but not least "Session Buddy". to name a few.
Mind you I am not complaining about this stuff either, I know nothing about any of the other P2P's but Zopa so don't know the dangers on the original stuff.
|
|
aju
Member of DD Central
Posts: 3,500
Likes: 924
|
Post by aju on Jan 10, 2017 12:06:52 GMT
aju there's a more general discussion here that might be of interest. whoa!, my dilemma just got a whole lot worse, thanks for the pointer and my OH thought we were just going shopping today ;-) pp:Having gone there now I realise I started there and it pointed me to this one, nothing like being in a loop I feel some feedback coming on (sorry I play loud guitar some days and couldn't resist the similarity!)
|
|
SteveT
Member of DD Central
Posts: 6,875
Likes: 7,924
|
Post by SteveT on Jan 30, 2017 13:16:58 GMT
(re-stickying)
|
|
