In message <v0421010db6a6089ec201@[]>, "Arnold G. Reinhold" writes:

>While I certainly agree with your general point, I don't think this 
>case is good exemplar.
>"The exploit requires the person reading a wiretapped email
>message to be using an HTML-enabled email reader that also
>has JavaScript turned on by default."
>The notion that e-mail should be permitted to contain arbitrary 
>programs that are executed automatically by default on being opened 
>is so over the top from a security stand point that it is hard to 
>find language strong enough to condemn it.  It goes far beyond the 
>ordinary risks of end systems.

Actually, I don't think so.  One of my (many) points here is 
*precisely* that a lot of email *does* contain such code.  It 
shouldn't, of cousre, and sometimes (unlike this case) the authors of 
the mail reader tried to prevent it.  But when I look at the number of 
mail-vectored worms we've seen in the last couple of years, I'm quite 

                --Steve Bellovin,

Reply via email to