On Wed, Oct 01, 2003 at 07:02:00PM -0700, bear wrote:
Heh. You looked at my mail headers, didn't you? Yes, I use pine -
primarily *because* of that property. It treats all incoming messages
as text rather than live code.
A protocol for text (as opposed to live code) requires compliant
From: bear [EMAIL PROTECTED]
Heh. You looked at my mail headers, didn't you? Yes, I use pine -
primarily *because* of that property. It treats all incoming messages
as text rather than live code.
BUGTRAQ in the last 3 years lists over 80 mails on pine - including
reference to this recently:
On Wednesday 01 October 2003 22:02, bear wrote:
No, it is not. You can make a hyperdocument that is completely
self-contained and therefore text, but that is not how HTML is
normally made. HTML can cause your machine to do things other than
display it, and to that extent it is code, not
| Can be relied on to _only_ deliver text is a valuable and important
| piece of functionality, and a capability that has been cut out of too
| many protocols with no replacement in sight.
While I agree with the sentiment, the text/code distinction doesn't capture
what's important.
Is HTML
Peter has raised a number of important points. Let me start by saying that
I do not see a strong distinction between a file to be viewed and a
program. Both are instructions to the computer to perform some actions.
While we might think the renderer showing us flat ASCII text is quite
Bill Frantz [EMAIL PROTECTED] writes:
The real problem is that the viewer software, whether it is an editor, PDF
viewer, or a computer language interpreter, runs with ALL the user's
privileges. If we ran these programs with a minimum of privilege, most of
the problems would just go away.
This
On Wed, 1 Oct 2003, Peter Gutmann wrote:
This doens't really work. Consider the simple case where you run Outlook with
'nobody' privs rather than the current user privs. You need to be able to
send and receive mail, so a worm that mails itself to others won't be slowed
down much. In addition
Jeroen C.van Gelderen wrote:
On Saturday, Sep 27, 2003, at 15:48 US/Eastern,
[EMAIL PROTECTED] wrote:
You have not met my users!
Indeed, but I'm here to learn :)
...
something is wrong. Why would she click YES?
...
Because I'm an optimist I believe that Alice will read the dialog
On Saturday, Sep 27, 2003, at 20:31 US/Eastern, Zooko wrote:
Jeroen C. van Gelderen [EMAIL PROTECTED] wrote:
There is no way around asking the user because he is the ultimate
authority when it comes to making trust decisions. (Side-stepping the
issues in a (corporate) environment where the owner
At 8:12 AM -0700 9/27/03, [EMAIL PROTECTED] wrote:
On Fri, 26 Sep 2003, Bill Frantz wrote:
The real problem is that the viewer software, whether it is an editor, PDF
viewer, or a computer language interpreter, runs with ALL the user's
privileges. If we ran these programs with a minimum of
On Fri, 26 Sep 2003, Bill Frantz wrote:
The real problem is that the viewer software, whether it is an editor, PDF
viewer, or a computer language interpreter, runs with ALL the user's
privileges. If we ran these programs with a minimum of privilege, most of
the problems would just go away.
On Saturday, Sep 27, 2003, at 11:12 US/Eastern,
[EMAIL PROTECTED] wrote:
On Fri, 26 Sep 2003, Bill Frantz wrote:
The real problem is that the viewer software, whether it is an
editor, PDF
viewer, or a computer language interpreter, runs with ALL the user's
privileges. If we ran these programs
On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:
I continue to believe that few users would grant an email message
access to both the Internet and the Address Book when they are asked
those two questions, provided that the user had not been conditioned to
clicking YES in order to get any
The report, written by many a crypto list member, is at:
http://www.ccianet.org/papers/cyberinsecurity.pdf
Will Rodger
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
On Saturday, Sep 27, 2003, at 15:48 US/Eastern,
[EMAIL PROTECTED] wrote:
On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:
I continue to believe that few users would grant an email message
access to both the Internet and the Address Book when they are asked
those two questions, provided that
also sprach Ian Grigg [EMAIL PROTECTED] [2003.09.25.2253 +0200]:
I wouldn't put all of the blame on Microsoft, Schneier said,
the problem is the monoculture.
On the face of it, this is being too kind and not striking at the
core of Microsoft's insecure OS. For example, viruses are almost
On Thu, 25 Sep 2003, Ian Grigg wrote:
On the face of it, this is being too kind and not
striking at the core of Microsoft's insecure OS. For
example, viruses are almost totally a Microsoft game,
simply because most other systems aren't that vulnerable.
While part of the security problems
At 6:47 AM -0700 9/26/03, [EMAIL PROTECTED] wrote:
While part of the security problems in Windows are Microsoft specific, in
my view a large part is inherited from earlier graphiscal desktop designs,
and is almost universal in this space. Specifically, when a user clicks
(or double-clicks) on an
http://channels.netscape.com/ns/news/story.jsp?id=200309241951000228064dt=20030924195100w=RTRcoview=
Reliance on Microsoft called risk to U.S. security
SEATTLE, Sept 24 (Reuters) - Computer security experts issued a joint report on
Wednesday saying that the ubiquitous reach of Microsoft
R. A. Hettinga wrote:
http://channels.netscape.com/ns/news/story.jsp?id=200309241951000228064dt=20030924195100w=RTRcoview=
Reliance on Microsoft called risk to U.S. security
But the security experts said the issue of computer security
had more to do with the ubiquity of Microsoft's
20 matches
Mail list logo
