Re: ActiveX security hole reported.

• To: www-security@ns2.rutgers.edu
• Subject: Re: ActiveX security hole reported.
• From: "John C. Pavao" <pavaojc@rixix.sod.eds.com>
• Date: Fri, 16 Aug 1996 09:35:18 -0700
• Organization: EDS Rhode Island Title XIX
• References: <Pine.BSI.3.93.960815223712.18823A-100000@descartes.forequest.com>

Jeremey Barrett wrote:
> 
> <snip original "endusers should be as smart as sysadmins" message>
>
> Brilliant. You must think that the average user is highly aware of the
> security of his or her machine and actively takes steps to insure said
> security. AND your statements assume that there exist trusted parties
> to sign things, and that they don't charge an arm and a leg to do so.
> 
> I expect that totally unsigned controls will comprise the vast majority
> of those encountered, and I expect that many if not most users will ignore
> the warnings IE gives out, especially given the tendency of most
> windoze applications to spew dialog boxes about everything, most of
> which just require clicking 'Ok'.
> 
> If the facilities exist for control authors to sign their own code,
> then I would expect that to be pretty popular, which would only
> prevent spoofing, and not prevent or even warn of a malicious control.
> 
> Alan Olsen's statement
> 
> > >The ActiveX security model is not a security model.  It is an act of
> > >religious faith.
> 
> is dead on.

Jeremy,

It's frightening to see messages like the one you replied to.

It sounds like we're heading for a Darwinistic future for the Web,
Internet, and computing in general. A future where people who want to
use their personal computers for "low-brow" tasks like doing their
finances, recreational web browsing, etc., without desiring to become
sysadmins and programmers will be weeded out and relegated to the
uninformed masses.  Only the computer elite, who can dedicate all of
their time and effort to keeping abreast of things like Java and ActiveX
deserve to be able to use their computers with a telephone line
attached.  

To say that the average user should be smart enough to not choose OK
when choosing OK is just what you have to do all the time to do anything
in Micro$oft Windows (name your version, name your application) is like
saying that soldier should have known better than to step on that
landmine because it was buried in the ground.  

Those of us who seem to feel that it's just too bad for the cutting-edge
technology illiterate would do well to remember that maybe people who
don't make their living running other people's computers hardly have
time to learn the pitfalls of the latest thing to pop out of the WWW
fad.  I have no interest in learning medicine, but I want a bottle of
aspirin that it's safe to take.  Shouldn't the doctor be able to sit
down at his computer and be able to use the web without having to learn
a second profession AND getting his computer FUBARed?

I subscribed to this list thinking it would be about ways to secure the
web, not messages from elitists who think the average user should be
weeded out.

John Pavao

• Re: ActiveX security hole reported.
• From: Jeremey Barrett <jeremey@forequest.com>

• Re: ActiveX security hole reported.
• From: Jeremey Barrett <jeremey@forequest.com>

• Previous: Authentication
• Next: losers .. Auto remail on a Web server?? how do people get on this list?
• Index(es):
  • Index
  • Thread