Friday, May 21, 2004
Do you like rants? Here's a rant.
When you open your physical mail, as a rule it doesn't spring to life, take over your house, and rent it out to drug dealers.
When you open your email, it should be the same way. It should be just plain data, like the letters your mail carrier delivers. If it were just plain data, you could still follow the advice that security people gave a few years ago, when they said that simply reading email could never hurt your computer. Today your email, or the Web sites you visit, can potentially spring to life, take over your computer, and rent it out to Viagra spammers.
The reason there's a problem is that software publishers added features to provide a "rich user experience" and people bought software with the extra features. The extra features replaced "boring" text with flashy animations and gadgets. That eye candy cost us security, because it allows email and web sites to control your computer.
The latest "rich user experience" causing havoc is the Macintosh OS X vulnerability in the previous blog entry. The problem there was that web browsers on the Mac can open disks automatically over the network and run online help. Then the Mac's online help system can run programs for you. Put those "conveniences" together and any web site you visit from your Mac can run any program it wants on your Mac.
That kind of "convenience" we don't need. I don't make it "convenient" for people to walk into my house without permission.
We need software makers to build programs that don't blindly trust content on the wild Internet. Programs like email and browsers that handle material from the Internet should open it carefully and let you look at it before they do anything with it.
If you want technical detail on the Mac vulnerability, there's a confused but informative discussion on MacNN.com.
|
When you open your email, it should be the same way. It should be just plain data, like the letters your mail carrier delivers. If it were just plain data, you could still follow the advice that security people gave a few years ago, when they said that simply reading email could never hurt your computer. Today your email, or the Web sites you visit, can potentially spring to life, take over your computer, and rent it out to Viagra spammers.
The reason there's a problem is that software publishers added features to provide a "rich user experience" and people bought software with the extra features. The extra features replaced "boring" text with flashy animations and gadgets. That eye candy cost us security, because it allows email and web sites to control your computer.
The latest "rich user experience" causing havoc is the Macintosh OS X vulnerability in the previous blog entry. The problem there was that web browsers on the Mac can open disks automatically over the network and run online help. Then the Mac's online help system can run programs for you. Put those "conveniences" together and any web site you visit from your Mac can run any program it wants on your Mac.
That kind of "convenience" we don't need. I don't make it "convenient" for people to walk into my house without permission.
We need software makers to build programs that don't blindly trust content on the wild Internet. Programs like email and browsers that handle material from the Internet should open it carefully and let you look at it before they do anything with it.
If you want technical detail on the Mac vulnerability, there's a confused but informative discussion on MacNN.com.
# posted by Frederick @ 4:03 PM Email to a friend:
Haloscan: they provide trackback