At 8:54 PM -0500 2003/08/23, gep2(_at_)terabites(_dot_)com wrote:
Right basic argument, but reaching the wrong conclusion. Most
users will leave the default protections in place for most
senders, only opening it up where needed.
If you can ensure that "default secure" is the required operating
mode for all implementers. I don't know whether or not we can make
that claim.
Actually, even if Outlook and IE and Windows were all "secure", I
think one can fairly argue that there are 'enough' clueness users
of AOL's insecure client software that there would still be a
problem.
I used to work at AOL. I am more familiar with their client than
I ever wanted to be.
Actually, the AOL client is so simple that it doesn't really
understand attachments, and certainly doesn't understand multiple
attachments (in that case, the user sees a preview of the first
bodypart, and the entire mail message is stored as an "attachment"
that must be downloaded to be viewed). It also doesn't understand
anything about automatically executing code.
It does now have an embedded HTML engine, but that doesn't allow
for automatically connecting to external web servers and downloading
additional content.
I fully agree that Microsoft has done some pretty stupid crap over
the years, including enabling HTML by default, but a lot of other
software suppliers aren't a whole lot better.
I'm a pretty big critic of a lot of the incredibly stupid things
that AOL has done (just ask Steve Case about the times I have
publicly harassed him at company "all hands" meetings), and indeed I
feel that they are an "Evil Empire" that is only very slightly better
than Microsoft. But this is a case where their stupidity has
actually served them reasonably well.
I definitely agree that there are plenty of companies out there
that have done things almost as bad, as bad, or even worse than
either Microsoft or AOL. The difference is that most of these
companies are no longer around, or have since learned their lesson.
That's the intention for the Secure Computing Initiative, which is what
Microsoft is calling their development effort.
Uh, no. Microsoft calls their stuff secure when they have some
guarantees as to what they can prevent the user from doing.
This is totally unrelated to real computer security, which has
more to do with having guarantees as to what the machine is or is not
capable of doing, and how malicious programs can be restricted from
negatively impacting anything else on the system.
It wasn't all that long ago that Sendmail (et al) all defaulted to installing
with open relays and such too, so it's not as if Microsoft is the only guilty
party in this industry.
No, not the only one. But certainly the biggest. Indeed, bigger
than the entire rest of the industry put together. Moreover, they
have not learned the lesson (indeed, they show every indication of
ensuring that they cannot possibly be forced to learn the lesson) and
they continue to do the damn stupidest of things.
--
Brad Knowles, <brad(_dot_)knowles(_at_)skynet(_dot_)be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg