Mathias Bauer wrote:
...
It's my firm believe that security by complexity doesn't work. There are
only two ways to safeguard you against negative influences from certain
features - avoid them completely or understand what you are doing and
act wisely. If understanding potential risks of a certain feature is too
hard it should perhaps indeed be removed. I don't think that this is
true for macros. But YMMV.
Ok, lots of good analysis there. Let's take the second alternative from
your final summary: "understand what you are doing and act wisely."
Here's what I see when I open an official OO.org feature spec:
http://specs.openoffice.org/appwide/linguistic/Set_Language_Attribute_for_Text.odt
=======================================================================
/tmp/Set_Language_Attribute_for_Text.odt
The document contains document macros.
Macros may contain document viruses. Disabling macros for a document is
always safe. If you disable macros you may lose functionality provided
by the document macros.
Enable Macros -- Disable Macros
=======================================================================
Exactly what in that message will allow me to "understand what you are
doing and act wisely?"
I have no information at this point--none--with which to make a rational
decision other than to disable the macros because that's "always safe."
What is the purpose of the macro(s)? Do I need them for my purpose in
opening this document?
The document comes from an OO.org web page so it's probably safe, but is
access to the document restricted? How do I know some unknown person
hasn't modified it--perhaps innocently introducing a nasty problem?
I think your analysis is very good, except that it does not follow to
the realistic conclusion: at this time, there is no secure option except
to avoid macros completely. The current approach bows to the highly
desired, but severely flawed "industry practice" of easily embedding
macros in documents and then dumping the responsibility on the user.
OOo can and should do better--and until a better strategy is available,
the default should be all macros off, no questions asked. The user (or
network administrator) should have to specifically enable them. Document
creators should have to assume that the user will not have macros turned
on and plan a graceful fallback.
Some ways I can think of off the top of my head to improve the situation
are: a) give the document user some information to answer those
questions I posed above; b) give the document creator other, safer ways
to provide macros and information about the macros (e.g. a signed
download from a secure site); c) provide a distinct facility that would
allow the macro writer to manipulate the open document, and nothing
else, and allow the document user to know with certainty the macro is
limited in its possible effects.
Maybe these are foolish or technically unrealistic, but there must be
something we can do beyond defending the status quo.
<Joe
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
