[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fun with M$

To: "Dan Siemon" <[email protected]>
Subject: Re: Fun with M$
From: Bill Stewart <[email protected]>
Date: Wed, 14 Aug 1996 22:16:41 -0700
Cc: [email protected]
Sender: [email protected]

At 11:07 AM 8/12/96 -0400, Dan Siemon wrote:

>> > Exploder is an Active X control which demonstrates security problems with 
>> > Microsoft's Internet Explorer. Exploder performs a clean shutdown of 
>> > Win95 and will turn off the power on machines that have a power
>> > conservation BIOS (green machines).
>
>I don't see how anyone can call this a bug. 

If somebody can write a web page that, when you view it, turns off your PC,
the only way I can see calling it a positive feature is to say 
"it's easy to make people stop using really insecure products like MSIE!" or 
"Turning off Win95 is a Kind Thing to do!"

>Microsoft has chosen what Sun should have: leave the security to the user,
>don't take it away from everyone.  Java has been severely crippled by the 

User?  What user?   The poor unsuspecting fool who hits the web page?
The kind friendly person who writes web pages that turn off Win95?
Executing signed code from web pages is semi-ok, if the default is to
trust no one and make the user explicitly grant permission to code authors.
Executing anything that comes down the wire is foolish, and writing
software to do so is rabidly negligent.

The Java approach is to define a security model that _should_ let you
safely execute code if you implement it correctly, do some academic-style
analysis to validate the security model, document the level of
trust you can expect from the system, and then put out a mildly buggy
implementation of the system so grad students can rip it to shreds :-)
So far the security problems that have been discovered have been with
the implementation, not with the underlying security model.
And then add a similar-looking language called Javascript with no
underlying security model, make it impossible to turn off, and get 
taunted mercilessly until you add a "Turn it off" checkbox.

The Microsoft approach was to take a hacked-up word-processor gluon,
from the folks who brought you the Word Prank Virus Propagation Tool,
hack it up some more, add Internet hooks, and replace a few bugs with
different bugs while trying to catch up with the market leader on features.
Yes, some of the removed bugs were security bugs, but it's nothing near
secure, and there's no reason to expect it ever can be.

(Brought to you by the folks who added features to Winsock so that
their PowerPoint disk-hogging-and-slideshow system chokes to death
if you install standards-based networking software, even if you
don't use the network features....)

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# <A HREF="http://idiom.com/~wcs"> 	Defuse Authority!

Prev by Date: Re: Stealth Buildings Was Re: "X-Ray Gun" for imperceptible searches
Next by Date: Re: Stealth Buildings Was Re: "X-Ray Gun" for imperceptible searches
Prev by thread: Re: Fun with M$
Next by thread: RE: Fun with M$
Index(es):
- Date
- Thread