Email conversation
| From | Lee Underwood |
|---|
| To | Me |
|---|
| Subject | Script Usage and a note |
|---|
| Date | 19 June 2007 20:47 |
|---|
I was wondering if you would mind if I posted some of your scripts from
<http://www.howtocreate.co.uk/> over at JavaScript Source
<[URL]>? You have a good collection. I would, of
course, give you the proper credit and provide a link back to your Web site.
[ Terms and Conditions: [URL]]
I also wanted to comment on your links page
<http://www.howtocreate.co.uk/JSdocsMS.html#fjs>. You stated that
ScriptSearch had "Many, many scripts, including JavaScript viruses!" We do
not have any viruses on our site. In fact, ScriptSearch itself does not have
any actual scripts. We only provide links to other sites that are submitted
to us. I am curious as to where you received that information.
Thanks in advance,
Lee Underwood
| From | Me |
|---|
| To | Lee Underwood |
|---|
| Subject | Re: Script Usage and a note |
|---|
| Date | 20 June 2007 14:25 |
|---|
Lee,
> I was wondering if you would mind if I posted some of your scripts from
> <http://www.howtocreate.co.uk/> over at JavaScript Source
> <[URL]>? You have a good collection. I would, of
> course, give you the proper credit and provide a link back to your Web
> site.
Thankyou for the compliments, but no. I do not want any of my scripts to be
posted on other sites like this. They have their own home on my site where I
can update them as often as I need to, with my own site organisation and
context. You are of course welcome to link to my script collection page or
tutorials from a links page, such as your "Developer Channel" links panel.
> In fact, ScriptSearch itself does not have any actual scripts. We only
> provide links to other sites that are submitted to us. I am curious as to
> where you received that information.
When I wrote that page, I had been browsing the script collections on that
site for many months. During that time, I encountered countless scripts that
triggered virus scanner warnings - typically the "viruses" (actually trojan
malware) that attempt to set the user's homepage etc in IE without prompting
the user, by exploiting various ActiveX vulnerabilities.
Whether the scripts are hosted by you, or linked to by you makes no
difference to a user. They use your listing, download a script that you link
to, and end up having downloaded some malware. For as long as you link to
scripts instead of hosting them and checking them yourselves, you will leave
your users exposed to this, especially since the script can be changed by
the site owner after you link to it.
Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/
| From | Lee Underwood |
|---|
| To | Me |
|---|
| Subject | Re: Script Usage and a note |
|---|
| Date | 20 June 2007 15:24 |
|---|
Mark,
Thanks, I can appreciate your comments about your scripts.
However, your comments regarding ScriptSearch are misleading and deceptive.
You state that WE, ScriptSearch, have the viruses but then in your comments
below you acknowledge that they are not hosted on our Web site, therefore
the statement is false. I can assure you that we -- [company name]
-- do not execute any scripts in the background that attempt to make changes
your browser. I can also assure you that it would be impossible to obtain a
virus from one of the sites that we linked to by just browsing our Web site.
They're just links, nothing more. If you obtained a virus from visiting one
of the listed sites then it was not from our Web site; rather it was from
the linked site. In that case, you should have notified us and we would have
removed the link immediately. That would have been the proper netiquette,
rather than defaming our Web site.
The idea that we provide only links and that you have gotten viruses from
browsing those links is not logical at all. As I said, if you received a
virus from visiting one of the linked sites it does not mean that WE have
the virus. Your logic is quite flawed in that you also provide links (one to
ScriptSearch, for instance). Therefore, using your logic, you also have
viruses. Would you like others that link to your site to list that you have
viruses on your Web site? Just because someone links to another Web site and
that other Web site has viruses does not mean that the linking Web site has
the viruses. That would be ludicrous. That would mean that Google has
viruses because it provides links to Web sites that actually do have
viruses; shall I then inform Google that you are reporting that they have
viruses on their Web site?
I would suggest that you rethink your logic as you are libeling our Web
site. Please either remove the comment about the viruses or remove the link
to our Web site altogether.
Thank you,
Lee Underwood
| From | Me |
|---|
| To | Lee Underwood |
|---|
| Subject | Re: Script Usage and a note |
|---|
| Date | 20 June 2007 18:22 |
|---|
Lee,
> I can also assure you that it would be impossible to obtain a virus from
> one of the sites that we linked to by just browsing our Web site.
That is absolutely not true, and by making that assurance, you show that you
clearly misunderstand how viruses can be installed, and what constitutes
browsing. For example, I browse through your site as follows:
* click Javascript link
* click scripts link
* click user information link
* click Ask Visitor For Name Alert Script link
* click Web Site URL link, which links to a page _on your site_, not the URL
in the link text
I am still browsing your site - the address bar on my browser still shows
your site's address.
The page on your site is holding a page from another site in a frame. That
page is hosted on another server, and could easily have some code on it that
uses an unpatched vulnerability in the user's browser to install a virus.
But that does not change the fact that I am still browsing your site.
Pages that I was viewing in this way tried many times to install viruses.
Some of them offered that sort of malware code for download.
I am not stupid, and I do recognise that it is another site that installed
it, but it is your site that I am browsing.
> you should have notified us and we would have removed the link
> immediately. That would have been the proper netiquette, rather than
> defaming our Web site.
No. You are the ones recommending these scripts. You should be checking they
are safe, and not relying on me to do that for you. I am not a virus
checking service. After seeing so many trojans, I simply gave up trying and
felt it would be better to warn people before they visited the site. The
fact that you were recommending so many of these scripts did not inspire any
confidence in me that you would listen to my email. Perhaps that is my
failing, but do not try to make me feel guilty for the fact that you have
recommended scripts to people when they contain malware.
When I linked to your site, I checked to see that what I was linking to was
not always safe, so I made sure that I warned my readers of that fact. You
should do the same when you link to a site or display it in a frame on your
own site.
> Please either remove the comment about the viruses or remove the link to
> our Web site altogether.
I would prefer to reword it to indicate that you link to the scripts, not
hosting them.
Personally, however, I think it is important to warn my readers about this.
You should feel it is important to warn them too, since they are your
visitors. In your position, I would not be trying to make excuses, but
instead I would be feeling guilty for what is an obvious failing in the way
the site is managed. Of course, if you feel it is better to ignore it or
blame it on someone else, then that is upto you, and you are welcome to your
opinion, but you cannot expect me to share it.