how do I get off this list? to join a learning community about communication and in order to help cure human problems join for free http://www.communicationinstitute.com wayfayer tomm ----- Original Message ----- From: "Nick Simicich" <[EMAIL PROTECTED]> To: "Chuq Von Rospach" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, July 08, 2002 1:03 PM Subject: Re: The role of the mailing list
> At 11:57 PM 2002-07-07 -0700, Chuq Von Rospach wrote: > >Nick made a number of comments I mostly don't agree with (HTML is not a > >programming language. It's a markup language. His statement, if true, also > >makes the statement "wordstar is really a compiler" also true, which it's > >not. > > No, it is an interpreter. Difference -- a programming language does not > always imply a compiler. Wordstar, and Microsoft Word, and the html > viewers you use are all interpreters, as much as Javascript is interpreted. > All of these things have "intended actions" and (likely) "unintended > actions", situations where you can feed them invalid input and get them to > do unexpected (by the original coder) things. (As opposed to the typical > Word Macro Virus issue, where the virus is actually written in the macro > language and uses the ordinary language facilities). The number of > unintended actions is likely correlated to the general care used by the > coder, the language used, the standards and procedures used, and so forth. > > This goes back to the "Use a viewer rather than Microsoft word to look at > your documents." It may work by limiting intended actions, as the viewer > may be missing the macro language that is bundled into full word, but it > may not limit unintended consequences --- the document may well have > overflows that translate into arbitrary code execution. > > > HTML has had stuff tossed onto it, whether it's javascript or java > >applets or activex or whatever, and those things ARE active code pieces -- > >but they are NOT HTMl. Pure HTML is benign. It can be used to bring in > >non-benign pieces, but that doesn't mean HTML is non-benign, and that's > >where you get the ability to protect the user from those non-benign > >pieces...) -- and other than the previous, I'll disagree without comment > >because most of the disagrements are philosophical. > > Perhaps, and perhaps things are just definitions. I will agree with you > that the intention of pure HTML (that is, HTML without intended scripting) > is to be a benign markup language. How well it succeeds at that is relative > to how well the interpreter is written. > > >But he also said something on the order of "stop protecting against viruses, > >too" -- and in many ways, he's correct. We CAN, actually, simply go to a > >caveat emptor approach. > > That was a sarcastic strawman. > > >Nick is running up the strawman that if we can't do everything, all the > >time, then don't do anything. That obviously fails, but it's a wonderful > >rhetoric. > > I agree that it obviously fails. The point is to do as well as we > can. This leads to my point in the final paragraph... > > >My counter-argument is that we have a responsibility to do what we can > >safely and reasonably, help users understand the risks where we can't > >provide that safe harbor, but at the same time, we have to be very careful > >about what things we choose to put into our purview of responsibility. > > > >Protecting end-users form viruses is a no-brainer. We can do it for the most > >part pretty well. Viruses serve no useful or constructive purpose. Even if > >Joe sixpack doesn't care if he gets infected, we do, because his infection > >impacts other users elsewhere (and from the public health real world > >analogy, there's a precedent of isolation and forced innoculation even > >against the wishes of the user we can adopt). > > > >But when you start talking about HTML and web bug issues, it gets a lot less > >clearcut. YOU may feel strongly about privacy issues, but does running a > >mail list give you the right to force your privacy views on your users? > > My definition of my mailing lists is that I am not simply a xerox > machine. I decide what to forward to my users and what not to. You have > already agreed that my approach is a good idea, the question is, where do > you stop? There are probably users who disagree with removing viruses from > the mailing lists --- but I don't care that much. > > For example, I noted in a separate message that I remove some headers from > e-mail, and not only errors-to. I also remove all headers that generate > those "The user has requested notification that you read their message," > or "the originating user has flagged this message as important." I add > footers. I automatically filter for other content and edit it. > > Let's put it a different way: Supposing you do remove web bugs and > scripting. Will any of your users notice? Will any care? > > >With > >viruses, there's a clear "protection of the commons" need here. You can't > >have someone with mumps running around the pregnant women. But that is far > >from clear on privacy. If the user doesn't care about web bugs, what gives > >you the right to force your view of that on them? Where does that privacy > >issue become one of the commons, where failing to protect users causes > >damage to that commons? > > If you consider your lists to be a commons, that also means that you > recognize the right of people to post handbills there. I don't. But the > precedence is that, (even if you consider yourself a common carrier) is > that common carriers have generally protected the privacy of their users > until and unless the users have asked that their privacy be discarded. > > >I just don't believe it's there. I do believe list admins can evangelize > >their views, but where virus fighting is an attempt to mitigate damage > >caused ot the commons we all use, this privacy stuff is instead an attempt > >to force a personal agenda on the users of the list, where you effectively > >are telling the users what they have to believe -- and that coercion doesn't > >come with any justification of common need like the virus hacks do. > > Sure it does: The protection of their e-mail addresses from exposure to > harvesters. And the protection of their privacy. > > For example, someone could sign up to one of my lists with their real > e-mail address, and never post. Their e-mail address is not available to > the public. I no longer, for example, allow "who" or "which" commands by > non-admins (at the user's request initially, I had not thought of it at > that point, this was some time ago). But if I allow the transmission of web > bugs, or HTML scripting in the archives that opens them to cross site > scripting vulnerabilities, their addresses and privacy are not protected. > > >So in one case you're taking action for common good and protecting users who > >may be incapable of that action themselves. But in another, it's effectively > >saying "you have to do it my way", but without the damage to the commons > >that comes from inaction. One is the health department locking up people > >with active TB so others don't get it. The other is Greenpeace blockading an > >Esso station because they feel you shouldn't be buying gas there. > > It is more like, "The phone company insisting that they will not install a > pen register on your line unless presented with a warrant." You > know? Probably 80-90% of the people would not care if the government could > get a pen register without a license. > > >Do you, as list admin, have the right to act as greenpeace? I don't believe > >so. > > I don't think your analogy is at all correct. You might think it is, but > that is because your world view is warped from too much use of apple > computers. :-) > > My other point is that you have to do it anyway to make the archives safe > for viewing. You might as well make the archives representative of the > actual content distributed on the list. > > -- > "Forgive him, for he believes that the customs of his tribe are the laws of > nature!" > -- George Bernard Shaw (1856-1950) > Nick Simicich - [EMAIL PROTECTED] > >
