> The notion that e-mail should be permitted to contain arbitrary
> programs that are executed automatically by default on being opened
> is so over the top from a security stand point that it is hard to
> find language strong enough to condemn it. It goes far beyond the
> ordinary risks of end systems.
And, yet, digital rights folk argue that the only way
data can be self protecting (the pre-requisite for data
being out and about on its own), is to wrap said data
in a program which the recipient must execute. All the
music royalty or email self-destruction stuffs basically
take this position. If auto-update of software really
does take hold, whether by contract (UCITA) or by choice
(whopping convenient, that), receiving an executable with
long-lived aftereffect will be part of every ordinary
person's day.
Not denying your point at all -- merely trying to look
well down range. I'm a send-by-reference-not-by-value
sort of guy, but as I see the world, e-mail attachments
are doubtless now the poor man's distributed filesystem,
and the momentum is with ever increasing amounts of
executables being transmitted. Consider, for an example
actually rather related to this Javascript e-mail issue,
the case of Zaplets (http://www.zaplet.com) which has
$100M+ saying that this is the future, or the stored
procedures in many specialized Oracle applications that
take the form of Java applets you download silently to
execute on your end.
Contemplating retirement off the grid,
--dan
