Blog

The JavaScript Black Hole

A playbook for ethical engineering on the web.

In the 25 years since JavaScript was first added to Netscape Navigator, the language has evolved from a cute little toy to an integral part of the Internet. JavaScript frameworks such as React and Angular have transformed the web, bringing us fully-fledged client side applications with functionality that could only be imagined just a decade ago. In the process, the web has become more powerful, but also much more dangerous. Malware and mass surveillance have become persistent threats, fueled by the ever-expanding amounts of user data exposed by new JavaScript features, and sucked into the black hole of omnipresent tracking networks. With real human costs, these threats have been worsened by the increasingly popular belief that "the web browser is an operating system, and everything is an app."

This essay is written for web developers and people interested in the field. In it, I break down the problems mentioned above, demonstrate some commonly-used JavaScript practices that can expose users to harm, provide examples of actual harm being done, and ultimately propose some actionable alternatives that we, as developers, can adopt to prioritize ethical engineering and minimize harm for our users, while still building feature rich applications.

Memespeech T-shirt now available!

Due to the overwhelming popularity of Memespeech, we are now selling a Memespeech T-shirt! Buy it if you want to help Memespeech "go viral." Proceeds will support our server costs and continued development of interesting projects!

Posted 2020-03-14 12:08:00 CST by henriquez. 1 comment

Obsessive Network LLC Launches Memespeech, An Unbannable End-to-End Encryption Format

MINNEAPOLIS, MARCH 12, 2020 – FOR IMMEDIATE RELEASE

ObSesSIVE nEtwoRk Llc HAS lAUNcHeD MemEsPeEcH, a NEw eNd-To-end EncryptiON FOrMAT thaT Is legaLly iMPoSSiBLE For the U.s. GOvernmeNT to bAN. MemESPEEch ENablES CONsUMErS tO hIdE EncryPTed MeSSAGES WITHin OrDInAry PaSSages oF FReE SPEECh. WItHoUT ThE DecrYpTIOn PASsWORd, iT iS IMpoSSiblE TO KNOw WhETher a PaSSagE OF mEmEspeEcH cOnTAinS AN ENCrYPTeD meSSAge, TherefORe thE U.s. GovernMENT cOULD Not bAN MEMESpEech WitHoUT BaNnInG SpEEch, ChEcKmate.

IN TOdAY'S cOMPETiTIVE LaNDSCApe, thE U.S. cOngrESS hAS propOsEd A piecE OF leGISLAtioN CALLed tHe EarN iT Act, wHicH WouLD GIVe tHE U.s. ATTorneY GenerAL uNIlaTeRaL ConTRol OVeR HOw tecH COmPaniEs ImpLEMenT encRyptiOn TEchnOloGy. PURportEDlY AiMed AT StOppING peDoS FroM sHarINg kidDIe pOrn on facEbOOK (WhIcH has bECOmE a dIsGUSTing cESspOol OF FILth), tHE eARn iT acT HeRoicallY ENds aLL ChILD PoRN by bannINg All intERnet SecURItY.

MeMEsPEeCh EnABles useRs whO sTiLL waNt secURiTy tO aDD THEir OWn ENCrYPtIOn BaCK iN to coMmUnICatIOn ApPs THaT aLLOw uSErs to ExcHAnGE teXT MessagES, thEreBy lEveraginG rEsoURcEs ANd addinG vAluE. as ThE maRkEt eVOlVEs, ComPAnIEs mAy bE foRCED to put BacKdooRS in thEIR own eNcryPtION, bUT they will nOT bE ABLE To IntErCEpt ThE ENCryPted MESSaGES CONsUmeRs SENd Over their netwoRkS witH mEmESpeEch. ThiS WILL CreAte nEw oPporTuNItiEs IN THe law eNfoRcemENT SECtoRs tO whine AbOUt nOt BeIng AblE to SPY On EVErythinG.

MEMeSpEecH waS dEvElopeD by ObseSSIvE NEtWoRk lLc, A bOOTsTRaPPED UnICorn StARtUp WIth a $1.3 BIllIoN VaLuatIon aND A LeaDiNg-EdGe tEAM Of rocKsTAr nINJa 10X DEVeLoPErS wIth A CoLLECtiVE exPErience oF 75,000,000 years Of RUsT ANd goLang.

"aftER COLlAboRaTINg WITh conSUmer rElATiOns AND brand EXperT teAmS AcRoss tHe INdustry, We ReaLIzeD THAt meMESpEECh CoULD rEVoLuTionizE ThE CONSUMER-suCCesS StRATegIes of OUr StAKeHOLDERs BY UsiNG BIG DATa machIne leaRNINg aI," saId heNRiQuez, sOME GuY At OBSesSiVe netWork.

MeMeSpeECH is iMMeDIATeLy AvAilAbLE as a brOWSER eXTeNSiON foR MOzILla FIrefox anD GoOgle chROmE, As wEll as A dEvElOpER sPECIfiCatIoN, enAbLInG enGinEeRs tO DEVElOP mEmeSpEeCh implEMeNTATIon iN tHE LanGuAgeS oF THeir ChOicE.

Posted 2020-03-12 16:20:00 PST by henriquez. 1 comment

Obsessive Facts

Welcome to our newly relaunched site. We hope you will stay awhile and learn about us.

Obsessive Facts is our website. Obsessive Network LLC is our organization. We exist to build new technologies and engage in advocacy to promote and protect freedom of expression on the Internet. Our secondary objective is to sustain ourselves.

There's more we could say, but words are boring when weighed against actions, and we are compelled to act. So maybe just stay tuned, smash that RSS button for notifications, and watch the pieces come together.

Posted 2019-12-25 00:35:00 PST by henriquez. Comments

Cryptoops — a totally pointless JS crypto library

I've recently been working on a project that involves encryption in web browser extensions, like take some text and encrypt it using a password. Pretty standard, except how do you do that in JavaScript? Due to my obsessive aversion to third party client dependencies, the decision was clear: I must read the specifications to all the relevant cryptographic standards and implement the algorithms myself in Javascript, from scratch.

It never dawned on me that in the half-decade since I last played with JS crypto, perhaps things might have advanced past the previous status-quo of "roll your own crypto library #yolo". I neglected to consider the possibility that all of this functionality might be already baked into modern web browsers. Well turns out it is. While I was putting the finishing touches on my library (using a Web Worker to make it multi-threaded), I stumbled onto documentation for the Crypto.subtle API, a.k.a. everything I had just built but way faster due to being compiled code that takes advantage of native cryptographic CPU instructions. Oops.

I can't bring myself to straight-up delete this code, but in reality it should never be used by anyone for any reason. Rather than try to make some sort of point (this is pointless), I'll leave it here for those who click "Read More."

blog