# Snap! version 6.9 and the JavaScript Function block

This is why the creation of a fake snap.berkeley.edu site is worrisome.

(maybe offtopic?)
That's not possible unless the admin explicitly gave root access through something like sudo or another suid executable, or the user runs as root. Both are unlikely considering the restrictions schools put on computers. If it was a oversight, it's a security vulnerability in the operating system itself. And what school system buys Macs when there are better things to spend their money on?

Whenever any project runs a JS Function function, 6.9 gives an error message, by default. If you check the "JavaScript extensions" option, then JS Function blocks work as always. It doesn't matter whose JS code it is, since we don't know that -- maybe you remixed someone else's project, for example.

Look, just try it! Load a project with JSF blocks and see what happens.

How did they convince the users to download and run it if it was part of the project?

Wait so they did something that seems impossible? That is very concerning but maybe you could blacklist the word 'Password' in JS blocks. You could also make a detector that can detect if a project is filled with exploits or viruses that will immediatly (spelling) delete it and send an email to the creator. There should also be more moderators if email and more moderator privilages (spelling) I do not know the powers of Snap! moderators but if they do not already have these I recommend it.

• A alert system that emails them when a blacklisted code line that involves (Ex Password) then they can look into it and it should detect this when shared or published.
• They probably already have this but they should be able to open the editor of any project to inspect it.
• They should probably be able to delete accounts if they are not already or ban accounts for a certain time.

In my opinion I do not think Snap! has enough mods as it has I think 12 or less? I think you guys should hire more. I really think the idea about blacklisted code will work on phishing.

Once more, I'm not a security expert and I have no opinion about any security issue except that it's one of the two things (the other being floating point computation) that you should never try to do yourself, but should instead hire an expert. Certainly there have been security holes in operating systems once or twice in my lifetime. (<-- sarcasm.)

Not gonna get into why schools do or don't buy Macs; the point is, when I saw that line in the code I stopped reading and told Github to have their security expert look into all this. For all I know there are other exploits for other OSes too.

There are legimate uses of that word.

How?
Also, you can obfuscate code and session hijack without the word filter detecting it.

Example (not malicious)
[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])


Worked thanks I should have tried that before. But what about if your not in editor your just playing it shouldn't a popup show up saying something like 'This project uses JS blocks (Either) please run the project in editor (or) Please enable JS blocks in your settings' so far you can only run JS in editor what about non editor? Is this what jens was talking about?

I do not know how it is an idea. I know of chat filters for games so I figured something like that idea.

When I was a high school teacher, millions of years ago, we had a rash of students writing login simulators, and so I did something like what you're suggesting, searching every file on the disk for the string "Password." So then students wrote programs saying

printf("Pass");
printf("word: ");

(This was on a Unix system, so the cool kids programmed in C.)

TL;DR: There's no way to win that sort of war.

What about password hacking? Well, there is some. The first time a student asked me how to turn off echoing to a terminal, I suspected that what he wanted was to write a login simulator, but I encouraged the project as one that provided a strong motivation to learn. I thought that the reaction of other students, when the project became public knowledge, would be enough to control password hackers. I was a little too optimistic; it took a good deal of struggle to make the point. The problem is a recurring one, partly because every year brings a new batch of unsocialized freshmen. But a strong deterrent is the fact that students aspire to superuser'' status, that is, a privileged account given to system administrators. Superuser candidates must be accepted both by the existing superusers, to ensure their technical competence, and by the entire CCUS membership, to ensure that they are trusted by the community. The students who have the skill and interest to be potential password hackers are also the ones who want to keep the trust of their colleagues.

There's no way filter strings successfully, People will just keep finding clever workarounds until you give up

We all think that! Unfortunately, we are a zero-budget project. (SAP is contributing the time of three people on their payroll, including Jens, but they're not interested in hiring 12 more.)

But no matter how many people we had, we wouldn't have enough to investigate every project that every user publishes. That's like trying to solve traffic jams by widening the highway. (Namely, by the time you get that built, there are more cars.)

OK thx, I was less concerned about whether I had caught an infection, vs how I should advise students to interact with Snap next school year. It sounds like to me this is much security ado about very little (which is to say, the appropriate amount of ado)

Solution: a d s

(Not popup just use google ads maybe add them on the side of the forums page or side of the main site page)

I'm honored that you read my old articles! :~) And, yeah, that.

The scope of the problem was very different then, though. There was no Internet. (There was the Arpanet, but random high schools weren't on it.) So the good guys and the bad guys were all in the same room, and nobody really wanted to hurt anybody; they just wanted to show off.)

So is this right? To say that?

Also, are libraries using JS exempt from this?
(quote unrelated to above text)

Two words

hash collision

Ugh. No.

You make a lot of money from advertising if you're Google or Facebook and you provide the infrastructure that allows targeted advertising. If you're a little web site with only a few users, maybe you make enough money to feed your Diet Coke with Splenda habit.

And, kids and parents and teachers trust us because we don't exploit kids to make money. If we were ever going to change that, I'd vote to charge you \$5/month or something, rather than run advertising whose content we don't control.