On Wed, 4 Feb 2004 13:27:45 +0000
kevin lyda <kevin+dated+1076333269.dc57a9 at ie.suberic.net> wrote:
> but for the most part there *is* a difference between opening and
True - but only because we see the difference between
data to be interpreted as a program, and data
to be interpreted by a program.
How many people understand and can make that distinction ?
> if you have an mua you've already accepted the idea of
> passing untrusted data to a program.
> executing untrusted code is a
> step beyond that.
Why ? Unless by saying 'executing' you mean 'intentionally executing',
in which case I agree completely, and we're back to needing
social engineering to get the user to 'execute' the code. However,
as I hope I made clear - that doesn't necessarily require the
"extract, chmod +x, run" sequence for success.
If it's postscript, then 'viewing' amounts to 'executing untrusted code'.
> any helpers that do the former are within the level
> of risk you've accepted, any that do the latter are beyond that level
> of accepted risk.
So .sx? / .doc / .pdf / .ps / flash are 'beyond' because they contain code,
but jpeg/gif etc are 'within' because they don't ?
That kinda puts most of the useful attachments into the 'beyond' camp
(if I understand your inside/outside boundary)
>kevin at ie.suberic.net ....... financial math: if bill gates & 10,000
> homeless http://ie.suberic.net/~kevin/cgi-bin/blog .. guys are in a
> room, the average net worth of each of them is over $1,000,000. now,
> why do you care what the average bush tax "cut" was again? ...........
Chris Higgins Cisco Learning Partner
Darach Technology Ltd tel: +353-1-6204370
email: chris.higgins at darach.ie fax: +353-1-6204371
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!