Read: [next] [previous] message

Re: [d@DCC] Health privacy and license agreements

From: Michael Richardson <mcr _-at-_ sandelman.ottawa.on.ca>
To: General Discussion <discuss (at) digital-copyright.ca>
Date: Fri, 22 Nov 2002 00:37:27 -0500

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Russell" == Russell McOrmond <russell@flora.ca> writes:
    Russell>   Having an email client auto-view an office attachment that can contain
    Russell> scripting (macros) is an extremely serious design flaw.  Having commonly
    Russell> shared office attachments contain scripting is itself an extremely serious
    Russell> design flaw.

  Furthermore, the MIME RFC, 1521, in its "Security Considations", written in
*1993* says:

9. Security Considerations

   Security issues are discussed in Section 7.4.2 and in Appendix F.
   Implementors should pay special attention to the security
   implications of any mail content-types that can cause the remote
   execution of any actions in the recipient's environment.  In such
   cases, the discussion of the application/postscript content-type in
   Section 7.4.2 may serve as a model for considering other content-
   types with remote execution capabilities.


  AGAIN, *1993* is the PUBLISH date. MIME started in 1989.

  They spend MULTIPLE pages to deal with this.

  There is NO EXCUSE. They were WARNED.  
  The IETF had HUGE debates about whether we should standardize such a
dangerous thing, and we did it because we wrote EXTENSIVELY about the risks.

  MS made a CONSCIOUS CHOICE here. THEY ARE CRIMINALLY NEGLIGENT.

    Russell>   We need to hold vendors to the fire for these types of design problems,
    Russell> even if newer operating systems from the same vendor have problems fixed.  
  
  WinXP ships with every user is admin by default.

]                   At IETF55 in Atlanta, GA                    |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPd3CkIqHRg3pndX9AQGljAQA0+D6PM6AfYBBBcvnPdaTjfCe0hJSakxK
7zPye6iYsqIhICKoJuBPjch/4LjX3iHgekzmc9QtZfi9/eRPywNrec69/Uuov0Oe
if+08JTYmER3yc9dNbuB5bCejYTIN+q80A9ik1E/hQJZn5t/IwC/g+0/3zxXe1go
9vhiu+sy3ck=
=IU1B
-----END PGP SIGNATURE-----
--
For (un)subscription information, posting guidelines and
links to other related sites please see http://www.digital-copyright.ca


Read: [next] [previous] message
List: [newer] [older] articles

You need to subscribe to post to this forum.
XML feed