Does it mean that whenever I click on a link I must be afraid that my computer will start to participate in a filesharing network?
What if a website uses the technology to spread copyrighted material in the background without me knowing about it? Maybe the website had a simple XSS hole that allowed an attacker to do it?
So later I will get a fine for spreading copyrighted material and I don't even know where it came from?
In the US, copyright is also more about sharing/uploading than downloading (if I remember right, all of the RIAA lawsuits were for uploading). The bigger issue is if the exploit has you download something that's illegal to possess (eg: illegal pornography).
Is it still illegal content if its a fragment, or part of, the file? Because if its an encrypted portion of a file, then you actually only have bits of nothing.
In the UK the police can demand encryption keys and, if you fail to supply them, throw you in prison for 10 years. So the punishment for having encrypted content which you do not have the key for could be far worse than actually having illegal content :(
A person to whom a section 49 notice has been given is guilty of an offence if he knowingly fails, in accordance with the notice, to make the disclosure required by virtue of the giving of the notice.
In proceedings against any person for an offence under this section, if it is shown that that person was in possession of a key to any protected information at any time before the time of the giving of the section 49 notice, that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.
For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if:
* sufficient evidence of that fact is adduced to raise an issue with respect to it; and
* the contrary is not proved beyond a reasonable doubt.
In the US we have the 5th Amendment to the Constitution which forbids the government from making you testify against yourself. Details can be found here:
This concern applies to any JavaScript: your browser is automatically downloading and running untrusted software on your computer without prompting you.
Even if you enjoy having JavaScript enabled for many sites, something like NoScript is still a good idea---it at least gives you a chance to question whether it's needed at all, or verify what it's doing yourself.
If you're not a JavaScript developer, that's not so easy to do with NoScript, unfortunately, because you'd have to allow the file to load, or pause it with a debugger, to see what is actually going on. Some scripts are also loaded at runtime.
LibreJS will list every script and its contents if it's not marked with a free license, but since it will refuse to execute it, it will not load anything that is dynamically loaded at runtime. But a malicious script could just mark itself as free to get around that.
Yes, and given the prevalence of javascript in 2015, I don't see this as a practical option at all for actually using the Internet.
Chrome canary + uBlock *uMatrix (which lets you allow images / scripts / css / XHR selectively per-domain) is about as much as I can stand to maintain.
Yeah, this is an interesting thought exercise. You could even, ad banner style, put an iframe on all sorts of pages letting a computer serve as part of a torrenting network.
Exactly my thoughts. JS torrent clients are dangerous.
There was a case in Germany recently where thousands of internet users got cease-and-desist letters and were asked to pay a fine based on an ad-injection. The people behind it made hundreds of thousands and ran off with the money.
On the other hand: If malicious driveby torrenting happens regularly, it will be harder to fine people for it, because it gives them a good excuse.
The case you are talking about clearly looks like a scam, how is that even legal to ask for a ransom in exchange of not disclosing you to the justice ?
It wasn't legal, but that didn't prevent them from running off with the money. Nobody wants to get involved in a lawsuit over porn movie piracy, so many people just pay the fine.
And when you pay, it's almost impossible to get the money back, because you basically admit your guilt, even when the claim was not legit.
There's more to this case, you can read about it here:
tl;dr: They got users' IPs through ads and misled the courts into thinking the users committed a crime by watching the videos. Courts ordered the ISPs to give out the users' info, the law firm CD'd the users and ran off when shit hit the fan.
The same thing can happen with JS torrenting and it's even easier to do.
Am I wrong to assume that "webtorrent" is a "hack" of current technology such as WebRTC to make torrents work over the web, and that it would be much better to define a native protocol for torrents/P2P file sharing on the web?
Unfortunately now that the W3C has made the MPAA a member of its board, I assume it will oppose any and all such protocols with both hands.
Not really. WebRTC is explicitly designed to allow arbitrary data to be sent peer-to-peer, with things like encryption, NAT busting, etc. built in; layering file transfer on top of it isn't a hack. It's not compatible with existing protocols, unfortunately, but raw UDP (and TCP) sockets are unlikely to be allowed on the web anytime soon due to security concerns; there are various efforts by browsers to provide APIs for this for use cases like the Chrome Web Store and Firefox's Open Web Apps, where security can be relaxed (e.g. [1] [2]) - and there are in fact torrent addons for both browsers - but on the actual web, you need an additional layer. In lieu of the web being able to speak BitTorrent, it would be nice if native BitTorrent clients started to speak web - that is, support bridging over WebRTC themselves. That is, in fact, what the author of instant.io is attempting, according to [3], with "WebTorrent.app".
Exactly what i was going to say. We have chosen to let the W3C define protocols. We can always take Chromium or FF and add the needed protocol and the W3C has no validity anymore.
This is the same for the DNS system. We have chosen to let the system be run like it is. But systems such as OpenDNS and Tor has proven that there are workarounds (with their own set of issues). The question basically boils down to having enough of a userbase for the new system to go mainstream.
Is it just me or are these pages not doing anything? I'm looking in the App Cache, Session Storage and I'm not seeing anything. There doesn't seem to be any activity. The page just sits there.
What if a website uses the technology to spread copyrighted material in the background without me knowing about it? Maybe the website had a simple XSS hole that allowed an attacker to do it?
So later I will get a fine for spreading copyrighted material and I don't even know where it came from?