On Wed, Oct 01, 2003 at 07:02:00PM -0700, bear wrote:
> 
> Heh. You looked at my mail headers, didn't you?  Yes, I use pine -
> primarily *because* of that property.  It treats all incoming messages
> as text rather than live code.
> 
> A protocol for text (as opposed to live code) requires compliant
> clients (ie, clients that don't do anything other than display the
> recieved messages).  As such, it's at least somewhat a social issue.

While I agree that text is far safer than html or a .exe, do you run
Pine on a dumb terminal, or in a window?  If the latter, escape
sequences which most folks would class as "text" can lead to remote
compromise.  There have been occasional bugs in terminal emulators,
in X and others.  TERM=vt100 is in some sense defining an interpreted
programming language, albeit a limited one.

That absolute safety is impossible does not excuse software from our
favorite vendor whose security model is all but impossible to fathom,
so I'm not at all disagreeing with your point.  I use Mutt.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to