Well, there's quite a distance between executing something that
is signed by a public entity during a transaction that I initiate,
and having code silently execute because something was pushed
to me unsolicited.
btw, the suggested workaround in the privacy advisory does not
appear to work - at least on my Outlook, turning off Javascript
for the Internet zone turns it off for IE too, which (alas!)
is too restrictive to be practical. I have all the MS security
updates, according to their Office-Update site.
Barney Wolff
On Tue, Feb 06, 2001 at 04:58:39PM -0500, Dan Geer wrote:
>
> > The notion that e-mail should be permitted to contain arbitrary
> > programs that are executed automatically by default on being opened
> > is so over the top from a security stand point that it is hard to
> > find language strong enough to condemn it. It goes far beyond the
> > ordinary risks of end systems.
>
> And, yet, digital rights folk argue that the only way
> data can be self protecting (the pre-requisite for data
> being out and about on its own), is to wrap said data
> in a program which the recipient must execute. All the
> music royalty or email self-destruction stuffs basically
> take this position. If auto-update of software really
> does take hold, whether by contract (UCITA) or by choice
> (whopping convenient, that), receiving an executable with
> long-lived aftereffect will be part of every ordinary
> person's day.
>
> Not denying your point at all -- merely trying to look
> well down range. I'm a send-by-reference-not-by-value
> sort of guy, but as I see the world, e-mail attachments
> are doubtless now the poor man's distributed filesystem,
> and the momentum is with ever increasing amounts of
> executables being transmitted. Consider, for an example
> actually rather related to this Javascript e-mail issue,
> the case of Zaplets (http://www.zaplet.com) which has
> $100M+ saying that this is the future, or the stored
> procedures in many specialized Oracle applications that
> take the form of Java applets you download silently to
> execute on your end.
>
> Contemplating retirement off the grid,
>
> --dan
>
>
>
