Dan Geer
Tue, 06 Feb 2001 13:50:00 -0800
> The notion that e-mail should be permitted to contain arbitrary > programs that are executed automatically by default on being opened > is so over the top from a security stand point that it is hard to > find language strong enough to condemn it. It goes far beyond the > ordinary risks of end systems. And, yet, digital rights folk argue that the only way data can be self protecting (the pre-requisite for data being out and about on its own), is to wrap said data in a program which the recipient must execute. All the music royalty or email self-destruction stuffs basically take this position. If auto-update of software really does take hold, whether by contract (UCITA) or by choice (whopping convenient, that), receiving an executable with long-lived aftereffect will be part of every ordinary person's day. Not denying your point at all -- merely trying to look well down range. I'm a send-by-reference-not-by-value sort of guy, but as I see the world, e-mail attachments are doubtless now the poor man's distributed filesystem, and the momentum is with ever increasing amounts of executables being transmitted. Consider, for an example actually rather related to this Javascript e-mail issue, the case of Zaplets (http://www.zaplet.com) which has $100M+ saying that this is the future, or the stored procedures in many specialized Oracle applications that take the form of Java applets you download silently to execute on your end. Contemplating retirement off the grid, --dan