Re: ActiveX security hole reported.

• To: Sean Robert Wilkins <srw134@email.psu.edu>, Jeremey Barrett <jeremey@forequest.com>
• Subject: Re: ActiveX security hole reported.
• From: Alan Olsen <alano@teleport.com>
• Date: Fri, 16 Aug 1996 11:00:15 -0700
• Cc: www-security@ns2.rutgers.edu

At 05:03 AM 8/16/96 -0400, Sean Robert Wilkins wrote:

>Now i should start and say i am surely not saying there are no security
>problems here, BUT actually a person who is running around the web with
>software of this type should know at least the basic security around the
>dialogs. Now not that everyone knows everything, but a basic level should be
>known, this is why MS's messages are so descriptive to Netscapes, to
>compare. And actually there are some places to get your code signed for a
>reasonable rate, about the same rate as it is to have say ASP verify a
>shareware program. These companys are in the Internet position of a notary. 

The problem here is that you are overestimating the clues of the average
Internet user.

Most of the people i have met who are on the net are there because they
believe that they have to be to be buzzword complient.  (Buzzword complience
is one of the requirements for ISO 9000 certification, as well as looking
younger and tasting better.)  The media has sold them on the idea that the
Internet is the "Cool Place to Be".

Most of these people would not know the difference between a security model
and a supermodel.

Most of these people have no idea what the dialogs mean that pop up on a web
browser or any of the myrad pieces of information that you and I take for
granted.  ("What is this key at the bottom of the screen and do i have to
split it with the sound man?")

Most of these people do not even know the basics about running their own
computers, let alone have any clues about security issues.

And you know what?  THEY DO NOT WANT TO KNOW!  They just want it to "make it
go".  They want it to be as easy as their microwave oven and they don't care
that their are safety procedures to keep them from putting their head in it.
(Hell, many of them probibly put foil in theirs just to watch the pretty
lights.)

"These are just simple people.  The common clay of the new Internet.  You
know... Morons."

>        Actually i had a question of you are you a big fan of Java? or its
>scripting. MS based or SUN?? There is always going to be a back door
>somewhere.. or an invisible security problem..

Java Script was not created by Sun.  It was originally called "live Script"
and was something that originated with Netscape.  (I think they purchaced it
from yet another company, but I am not certain.  Need more coffee...)

The reason that people try to break these things is to find these "invisible
security problems".  

As for "backdoors",  do you believe that they exist and do you believe them
to be intentional?

>        Another thing about this the angry or sarcastic tone of this message
>is not appriciated or neccasary so please don't use it, This is a news group
>for debating maybe but none of that stuff...

How dare you get upset at our angry and sarcastic tone!

Actually there is nothing on the net that will get an angry and sarcastic
remark faster than someone making self-rightious judgements about the
behaviour of others, especially within the bounds of a heated debate.

Actually, there is alot of reason for anger and sarcasm when it comes to
ActiveX.  Microsoft has made some assertions when it comes to Internet
security that make the whole environment a whole lot less safe.  To make
matters worse, they seem to thing that "just trust us and the apps we sign"
is a valid security model.  In an Intranet environment, where you have
control over the code and the environment, ActiveX has a place.  But it does
not have a place where the majority of the users are clueless and will
believe just about anything you tell them.

Then again, maybe ActiveX is a good thing.  Maybe it will clear out a bunch
of newbies when they hit all the landmine ActiveX apps that will spring up
in the next year or so.  We can only hope.

It won't be on any of the web pages I administer...
---
Alan Olsen -- alano@teleport.com -- Contract Web Design & Instruction
        `finger -l alano@teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
  "We had to destroy the Internet in order to save it." - Sen. Exon
                "Microsoft -- Nothing but NT promises."

• Previous: Re: Getting off
• Next: Combining authentications
• Index(es):
  • Index
  • Thread