Barney Wolff
Tue, 06 Feb 2001 18:21:51 -0800
Well, there's quite a distance between executing something that is signed by a public entity during a transaction that I initiate, and having code silently execute because something was pushed to me unsolicited. btw, the suggested workaround in the privacy advisory does not appear to work - at least on my Outlook, turning off Javascript for the Internet zone turns it off for IE too, which (alas!) is too restrictive to be practical. I have all the MS security updates, according to their Office-Update site. Barney Wolff On Tue, Feb 06, 2001 at 04:58:39PM -0500, Dan Geer wrote: > > > The notion that e-mail should be permitted to contain arbitrary > > programs that are executed automatically by default on being opened > > is so over the top from a security stand point that it is hard to > > find language strong enough to condemn it. It goes far beyond the > > ordinary risks of end systems. > > And, yet, digital rights folk argue that the only way > data can be self protecting (the pre-requisite for data > being out and about on its own), is to wrap said data > in a program which the recipient must execute. All the > music royalty or email self-destruction stuffs basically > take this position. If auto-update of software really > does take hold, whether by contract (UCITA) or by choice > (whopping convenient, that), receiving an executable with > long-lived aftereffect will be part of every ordinary > person's day. > > Not denying your point at all -- merely trying to look > well down range. I'm a send-by-reference-not-by-value > sort of guy, but as I see the world, e-mail attachments > are doubtless now the poor man's distributed filesystem, > and the momentum is with ever increasing amounts of > executables being transmitted. Consider, for an example > actually rather related to this Javascript e-mail issue, > the case of Zaplets (http://www.zaplet.com) which has > $100M+ saying that this is the future, or the stored > procedures in many specialized Oracle applications that > take the form of Java applets you download silently to > execute on your end. > > Contemplating retirement off the grid, > > --dan > > >