In message <v0421010db6a6089ec201@[24.218.56.92]>, "Arnold G. Reinhold" writes:
>>
>
>While I certainly agree with your general point, I don't think this
>case is good exemplar.
>
>"The exploit requires the person reading a wiretapped email
>message to be using an HTML-enabled email reader that also
>has JavaScript turned on by default."
>
>The notion that e-mail should be permitted to contain arbitrary
>programs that are executed automatically by default on being opened
>is so over the top from a security stand point that it is hard to
>find language strong enough to condemn it. It goes far beyond the
>ordinary risks of end systems.
Actually, I don't think so. One of my (many) points here is
*precisely* that a lot of email *does* contain such code. It
shouldn't, of cousre, and sometimes (unlike this case) the authors of
the mail reader tried to prevent it. But when I look at the number of
mail-vectored worms we've seen in the last couple of years, I'm quite
skeptical.
--Steve Bellovin, http://www.research.att.com/~smb
