Slashdot Mirror
Microsoft Word Documents That "Phone Home"
ephraim writes "According to
The Privacy Foundation,
Microsoft Word documents have a 'feature' which allows the documents' creators to place web bugs within the documents that inform the author whenever somebody has opened the document via a web server's logging facilities. This 'feature' can also be used to set and view cookies on the reader's copy of Internet Explorer. The story can be found
here.
While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it."
Props to their CTO
Richard M. Smith.
Here is what Microsoft had to say about it (emphasis added)...
Vendor Contact and Response
Microsoft was contacted about this issue on 8/4/00, and again on 8/25/00. They confirmed that Microsoft Word will access the Internet in order to fetch Web images that are linked to in a Word document. They went on to say that Word uses Internet Explorer to fetch images and therefore standard Web browser cookies can be both read and set from inside a Word document. However, the company claims that Word users can mitigate the use of cookies.
Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.
If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.
Mmmm.. Donuts
Since it's not happening now, it couldn't possibly start happening later. I've never seen a problem with a MicroSoft product be exploited weeks, months, even years after it was released. Now I'll be able to sleep at night.
--Ty
So let me get this straight. Word can:
-Run arbitrary macros
-Access your hardware
-Access the Internet
-Download and upload data
-Set and send cookies
I'm beginning to think Microsoft is right: They don't know the difference between an app and an OS.
Just to spell it all out: A Word macro virus now has the ability to, say, infect all your existing Word files such that when you open one of those files the contents are sent to a named address on the Internet. Goodbye confidential documents!
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Well so you have your VBS virus write a web bug into every created document. In this is the registry settings that hold your password stored in a cookie and anytime you open the document you have "sent" your passwords to the bug writer.
... well the size of Windows.... :)
Can we say hole the size of
Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
Good job, Slashdot! Keep up the good work!
We shouldn't be too surprised; Web Pages are already like this.
I remember the surprise that a friend of mine showed when I showed her "Apache Logs".
Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"
(This is a particularly paranoid friend of mine.)
General rule of thumb: If you're doing something on the Internet, you're being logged.
Do something useful: read "Transparent Society" and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).
On the topic of Word: How hard is it to just have a simple word processor package?
WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix. People want a small, reliable processor to type up homework and reports.
They went on the right track with their installation process, which splits up Word into it's vital components, and lets you choose which to install. But what good is that if it still installs components that you don't want, and don't trust on your machine (such as the topic)?
If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.
.jpg) with *anything* that is web aware the exact same thing will happen.
And if you read *any* document with a ref to an outside object (like a one pixel
However, if you read the document in Wordpad or some other text only program you can avoid the effect. Makes for some pesky reading around markup and junk, but you will see the refrences to the web too.
Visit DC2600
Eve Fairbanks says I drive a hybrid!LOL
Dont forget Excel and the rest of em...
what are those curious little dots that appear and disappear on /. as the page loads, like right above the banner ads?? Are we being web-bugged even as we talk about it?? :))
However, looking at page source it looks like something to do w/ pagecount, but you got us wondering about any image w/ WIDTH=1 HEIGHT=1
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The logging is bad enough (just because HTML does it doesn't make it OK). But combine that with the already known scripting "features" of Word and you have a recipe for disaster. Everyone who has Word installed has a generalized scriptable app open to the Internet. That's a big problem.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
When I am in Vindoz I use ZoneAlarm as a firewall which asks me if I want an application to access the Internet when an attempt is made. I have never had any Office component attempt this but I like knowing if and when Word or anything else tries...
Do your best, hope for the best, suspect the worst.
Four words: Don't use Microsoft Word.
That doesn't bode well with Bill Gates' World Domination Plan (tm).
Has anybody checked to see if the same thing happens in Excel?
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
And they're *not* viewed in a web browser. Indeed, it's a good way to get an "opened" receipt when you send email (even if they choose not to acknowledge the usual "reciept requested" flag): embed a graphic from your own site and their client will automatically fetch it when they open the message. Cookies, too.
Clever, but not new. Why the big MSFT-is-evil hype about this?
Yes, good job RMS.
Care about freedom?
I'd rather be lucky than good.
Thus, this technology gives you the possibility to predict unauthorised access to your documents before it actually happens, thus enabling you to apprehend and punish the criminals _before_ they commit the crime. This technology is intended to be used in conjuction with the DMCA to prevent the unauthorised disclosure of confidential electronic documents. Slightly creepy, but very interesting technology nevertheless.
Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.
"Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.
Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.
-- Real free software sites don't use GIFs.
Word will use Internet Explorer to do this, which also means it will use IE's proxy settings. Just another good reason to use Junkbuster. Of course, there's a very small chance the host images are coming off of are actually in your scookie.ini.
--jbI hate the term "web bug". Actually, I'm more offended at the people who come up with these stupid terms rather than the potential abuse they bring about.
I propose that we direct our energies to tracking and hunting down people who come up with these terms and sending them to Texas. I'm sure they'll know what to do about them down there.
-- You see, there would be these conclusions that you could jump to
See, I'm not one of those "all information deserves to be free" geeks who thinks that it is perfectly okay in all cases to spread copyrighted information all over the place. So I can support the concept of using this to track copyrighted documents in most cases.
:P
However, I can't stand the idea that outside of that limited arena that anyone can track the documents I read if they have any of these embedded graphics files. I have enough problems with cookies tracking how often I check certain web sites. This is intolerable. At the very least, it's an invasion of privacy, and the simple matter of 'turning off cookies' falls on deaf ears as most of the End Users won't know about this invasion of privacy or the need to turn off cookies.
In any case, Microsoft is coming out of this looking like the bad guys again, and they _still_ can't differentiate between OS's and apps...
Kierthos
Mr. Hu is not a ninja.
ln -s `which strings` /usr/local/bin/word
I know that a lot of people enjoy bashing Micro$oft when a hole like this turns up in their products, but just for perspective, this will apply to any application that has sufficient integration. And as far as that goes, even the Privacy Foundation says that the integration is potentially useful and they recommend keeping it there. Just wait a little while; integration and component reuse is a very important feature of MS Windows, but Linux is catching up quickly. Soon we'll have this sort of problem also.
If you are modding me down because you disagree with me, use the "Flamebait" category, not the "Troll" one.
So yes, this would be applicable to some other MS apps. My solution, though I don't know if it will work well, would be to continue to use a program which asks me if I want other programs to access the internet. I'm pretty sure that it would catch word before it could get the image from a server. However, I can't guarantee that, this is Microsoft afterall, and we know how open their platform is
GNU emacs can do all of these things to (including harboring document virii). What's the diff?
Question: has anyone heard of Wild tangent? My router the other day started connecting to a website "update.wildtangent.com" out of the blue when I launched win98. I found the directory "wt" in windoze and uninstalled it. Funny thing is, I never agreed to install it AND after I did remove it IE slowed down A LOT when changing btw open windows. Just curious, because this seemed to be related to M$.
Sig it.
I've notice some spam that would try to fetch a graphic from a website. They track your address in the image location so they know who's getting it and who isn't. We need a backwards firewall to prevent traffic like this from leaving.....
Is the versioning information that is often stored in Word documents. This allows "template" documents like contracts, offer letters, etc. to become sources of "extra" data if the originator starts with an existing version and overwrites it! This happened with me once. A co-worker got a copy-and-overwritten offer letter that had my specifics in it when he viewed it under vi.
MORAL: Always start from clean documents (or turn the versioning off if you can)
I use a firewall, wich, by pure coincidencre, registered today. It's Zone Alarm Pro and they have a [less featured, but functional] free for personal use. It's a very good one, IMO, as it detects when a program opens the winsock, and asks you if you should let that program access the net. It can remember your choice. I recommend it.
So I got curious to see how it'd react to this. Downloaded the demo document from the article and, after opening the document, it told me Word was trying to access it.
I simply didn't allow word to access the net (word was trying to contact 127.0.0.1, probably to IE).
As I didn't grant access to word, it logged:
ACCESS,2000/08/30,16:50:12 -3:00 GMT,WINWORD.EXE was temporarily not allowed to connect to the Internet (127.0.0.1).,N/A,N/A
and the bug didn't work.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
I can't wait to find out what other "innovation" gems are still out there.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
My name is Bill Gates. I have just written up an e-mail tracing program that traces everyone to whom this message is forwarded to. I am experimenting with this and I need your help.
Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000 at my expense.
Enjoy.
Your friend,
Bill Gates
Damn! This was totally true and I missed out!
-------
We want some answers and all that we get
Some kind of shit about a terrorist threat
- Ministry
They don't know the difference between an app and a document.
A=B=C -> A=C
It logically follows that they don't know the difference between a document and an OS. There is further practical proof of this from the way you can open configuration windows from their help files.
Ergo, the next version of MS-Windows will be called MS-Help. Instead of CTRL-ALT-DEL to log in, you'll use F1. Every time you want to type something in, you'll need to reassure your computer that you are indeed familiar with the operation of a keyboard, and probably still be forced to repeat the "This is the space bar. This is what we call the home row." tutorial every time you reboot.
--------
That's why every time someone tries to fob this kind of thing off on the public, we need to make a stink about it. Joe sixpack isn't going to be interested enough in the details to realize how heinous it is until it's too late. So joe pizzabox hacker needs to find this stuff out and let the public know about it, and explain why its a bad thing.
The EFF or some such group should probably have a project to uncover and track such nasties.
Subscription software is a big enough pain, without all of the other skullduggery someone like M$ is likely to get into. At the very least, software publishers should be required to disclose such things and be severly slapped if they overstep their bounds. It's one thing if you decide to allow a piece of software to do this, it's another if it does it behind your back.
Is there some way to set up a firewall to prevent or at least alert us to such things?
For a company, a simple fix is: don't use Word documents from outside - only accept Postscript or PDF.
Which would be a good thing for us Lyx, LaTeX or (insert non-MS office product here) users.
Why on earth do you even need them? I mean, you (the /. team) have full control of the server, right? So why use a goofy hack like 1 pel images?
It seems to me that it's lazy and irresponsible to require an extra http request.
--------
You could probably hack up some magic stuff to page you when someone opens your resume, too. After all, this technique would really only be effective if you catch them in the act.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Is there an option to disable this feature? I am unhappy with this.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
One could then simply compare the list of installed software at home or work, best with hints on how exactly to turn things off or what replacement version to install. Previewing my comment I see that I only gave MS software examples, I'm aware that they're not the only ones screwing things up
Find out about the feature
Query Help for about an hour to find out how to moderate
Find it shipped enabled and then disable it
Probably my greatest annoyance with M$ products is this type of behavior. It usually costs me hours to find and disable all the annoying "features", particularly because M$ doesn't use the same terminology the rest of the world does, so it's non-obvious. Then the on/off button is deeply buried in a non-obvious location. There's a name for people who design things like this: a$$hole.
Vote Naked 2000
A feeling of having made the same mistake before: Deja Foobar
... if the internet happens to be accessed via another application, namely Internet Explorer, which you expect to access the internet and thus are likely not to block?
Because that is (according to the article and MS's statement) what actually happens.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Or don't read your mail in Netscape. I've recently discovered VM for Xemacs, which gives me all the features I need -- POP, IMAP or direct mail, you can change your address (Handy for non-static POP accounts and my biggest complaint with PINE,) flexible address book handling, real PGP/GPG support (With a menu drop-down added in, even!) MIME handling, folders, and so forth. Plus some stuff I never had before like xfaces, which is pretty damn spiffy.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
When I was playing with PostScript, I always wanted to come up with a PostScript worm that would propigate from printer to printer and once there, scan for the word "strategic" and replace it with the word "satanic." If I'd been able to figure out how to open a network socket in the language, I could have pulled it off too...
TeX/LaTeX are also computer languages, allowing at least for conditionals and possibly looping as well (I never got THAT much into them.) They read kind of like LISP without the parentheses.
While I'm not aware of any actual instances, the potential for mayhem is there.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
MS just took the next logical step. They built a feature into the application that programmers had been scripting into it for years.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Once again we have an example which I think points our need for more fine-grained access control. We need to be able to limit what apps other applications may run/interface with, and we may also want to a way to have inherited limits. I don't want most programs being able to send mail, I want them locked out unless I give them permission. I'm not sure of the technical details of implementing this, but if we want truly safe computers, this seems like the only way to me.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Adding these types of things would be essentially trojan programs. Same thing as ad-trackers using cookies I would like to see some of these companies that use this type of things as basis of a charge under the computer tresspass act.
Fight Spammers!
Because anyone who wants to stay up-to-date on security problems with any Linux application can simply stay on the appropriate mailing list and find out when an update patch is available. Microsoft is a different phenomenon, and thus requires different media coverage. Also, the X-Chat vulnerability announcement comes with a fix, the Microsoft Word one is a continuing, acknowledged problem that will likely not be fixed, thus it becomes newsworthy.
FilterProxy can successfully remove web bugs.
This message has been brought to you by Blatent Plug-O-Matic(tm)
--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
This weeks' Computerbild has a story about a new virus sniffing SBS (a Swiss bank) e-banking usernames and passwords using a similar technique. This is scary stuff, as real money is involved. Wanna bet that this e-banking service was marketed as "100% secure, because Bill Gates himself said so"?
--
- the web site can be shut down too easily
- it gives away your identity
). Or even better: only upload those documents that contain the words company confidential, for internal use only, trade secret or series of long numbers that look like bank account numbers. That way, you make better use of bandwidth.Ouch, that would hurt. Better buy those MSFT puts right away...
But since I use Opera, whenever IE wants to access the internet (usually, strangely enough, when I start it by mistake) I usually go NONONONONONONONONONONONONONO, and then press the No button.
I am, however, worried as hell when my connection lights are flashing like the dickens and the ZoneAlrm graph stands still. I complained to my ISP, and they say it's RIP (!). Good thing I'm not actually paying for service...
Is this post not nifty? Sluggy Freelance. Worshi
Earnest question here:
My understanding is that my IP address is dynamically assigned when I connect -- it's not the same from session to session.
So what is gained from a web bug other than the knowledge of which ISP I'm using?
It's not like my computer name (tacogato) would tell them anything. The ISP doesn't have my address, so a web bug can't get it either unless they can convert the IP to phone number and then reverse lookup to get my address. Is any of this possible? Or is this only a concern for those with static IP addresses?
What about small businesses, often using a shared modem setup? Do they generally have static IPs? If not, it seems the web bug is not broadyly useful.
Could someone enlighten me please?
-----
D. Fischer
ShoutingMan.com
How about in a keyboard driver, like HP's latest? Any executable has the potential of networking, so people should slowly get used to this idea. One solution might be to have a kind of application firewall inside the OS, which lets you determine which apps should be allowed socket communications, and which not. And to be informed when an app tries to open a socket.
Uwe Wolfgang Radu
One year? That is a helluva lot of time. Melissa and I love you were discovered within days, if not hours. Every single computer will have been cleaned before your virus activates...
unless...
you make yours much more discrete than Melissa and Iluvu. Do not mail yourself to every address book entry. No, just hook yourself into MAPI, and silently infect outgoing messages which the user sends. But only do it if the intended receiver has Outlook too (easy to find out by scanning the inbox and the archive for the last message by that user and looking at its headers). Even with this slow spread, one week should be enough to acquire a sizeable target market. One day before activation, go into "fast mode", and fire off automatic messages to all users who recently mailed us, and who have outlook. Subject would be Re: Subject of last received messages. Text would be entire quoted text of last received message. And then, let that puppy bark.
What's the big deal? How many Word documents does anyone write that they distribute? How many Word documents written by someone else do you read? Who cares if the original author knows you are reading the document? Why would you be reading a Word document from an untrusted source anyway?
what we should really be worried about is this part:
so there could eventually be Trojaned mp3 floating on Napster someday. Only way to avoid this would be to never upgrade Sonique, Winamp, or Media Player again...
JOIN !LINK CLUB!
Don't blame me - I voted for Howard Dean. http://dean2004.blogspot.com
The problem at hand here is not being logged when we visit webpages. You could be logged just by opening an innocent looking Word document. BEsides with a webpage you can always look at the source and see there's a webbug...
Who knows, maybe you even read some Word documents infested with those webbugs already.
"If liberty means anything at all, it means the right to tell people what they do not want to hear"
What you have to realize is that while Word documents might be a big deal today, in the fast paced world of computing, they really won't be significant in the future. A new medium - a method - of transferring and communication between hosts, indeed - systems, business, communications and other systems - is emerging. XML.
I really hope we live in such a utopia someday.
But, how long has there been a Microsoft Word? How much human information, knowledge, and communication is bound up in Microsoft Word documents, and how long will much of that legacy be relevant?
And, considering how long there has been one, and the size and relevance of the legacy-- how long do you think we'll be dealing with binary formats like Word?
The future usually maps better to William Gibson and Ridley Scott: There's the new, but those old layers of decades dirty old grunge and tech still persist refusing to die. I predict that we'll still need to open MS Word documents in 2010. Hell, I just had to open a WP v4 document the other day..
-
The EFF or some such group should probably have a project to uncover and track such nasties.
Not easy without the source.Now, what would be a good idea, would be to write a new, open source, OS, web browser, and office suite. If these were open source, it would be quite transparant when people tried to sneak this kind of crap into their products.
G
Is that all that goes on here anymore. Let's all take potshots at MS anytime they do anything! I can think of a couple of good things about this.
Tracking internal document consumption - If you can place a cookie, you can track who and how many time something is read.
Changing document data to reflect different visitations. If a user has already read the document and it hasn't changed it doesnt download the Word document.
I am reminded of a Shakespeare when I hear this: (approximation) Nothing is neither good nor evil but thinking makes it so. Of course somebody can do something malicious, but somebody can also do something positive. If your that worried about it, download the document, open up your favorite text editor (insert here), open the Word document, strip out the header and footer information, and read it. Very simple. And for the joker who will point out what it if has pictures or some really brutal formatting that doesnt show up; well tell the folks that put it up on the website to save their document as HTML or a TXT file. Laters
/me gets off my soapbox
Hangtime
If you continue to think what you have always thought, you will continue to get what you have always got.
-Anonymous
I cannot stress this enough, people. Read the articles referenced by slashdot before you post obvious questions.
The article clearly states:
So I would imagine that the answer is "yes. Someone has checked."
I don't buy it. The premise that privacy and anonymity are a necessary casualty of technological advance is not necessarily true. It has been true thus far largely because privacy wasn't a design consideration in many of the systems we used. Most internet protocols were not designed to support privacy. HTTP is certainly in that category. The message is going out that privacy should be a design consideration. Zero Knowledge, for example, offers an service which reportedly encrypts your traffic and passes it through a series of servers to hide content and origin. Common cleartext protocols like telnet and ftp are being replaced by encrypted alternatives. Mr. Brin discusses privacy degrading technologies but doesn't concern himself with privacy preserving technologies which will grow in parallel.
Realize too that concern about loss of privacy is well founded. If and when privacy evaporates there will be consequences, and not just decreased crime, which isn't necessarily true either. How many convenience store robberies have you seen on the local news, committed right in front of the obvious cameras? Criminals aren't known for their intelligence. Recall the story of the gentleman who fell in the supermarket and was confronted with his purchase record, which included regular purchases of alcohol, and the threat that this record would be used in any lawsuit brought against the store. Just because you've done nothing wrong, but rather something "everyone" does now and again, doesn't mean that information (which, quite frankly, is none of their concern) won't be misrepresented and turned against you.
I've honored your request and read the article (again). Please do something useful as well: read Database Nation and understand the consequence of burning the privacy bridge. It's not an easy one to rebuild.
As well as any other Office applications, when they launch an HTML type of document. It's pretty easy to grant permission this one time only, too -- so you always know if programs that normally shouldn't be net-enabled are trying to slip one past you.
Clearly you don't realize how either the "Internet Explorer component", or ZoneAlarm, works. Though Word uses the same HTML renderer, it is from within its own EXE. Granted, I don't kid myself that this will trap ALL instances of non-obvious internet use, but it goes a long way towards making me feel like I'm still in control.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
Star Office
Good point. From the Document Web Bugs FAQ:
HTH, HAND.
Cheers,
A couple of years ago, people didn't expect to have Word Processors to check your spelling as you type.
True, let's boil it down to simple terms. "Except that people don't expect word processing documents to tattle on them when they read them".
Unless the spell checkers these days post you're most embarrasing mistakes on the net, the Word bug problem is worse by far!
602pro. Look around, it's like a suite/pc office/something, forget the exact name. Comes with a word-clone, excel-clone, mspaint-clone (???), and faxer (???). No Access here, but FileMaker is better anyway and most database stuff can be done with a spreadsheet or the Label feature. You're also missing Outlook, but use Eudora. Best part, it's free.
Well there isn't an option for that, but one way to help secure outlook is to set it to handle all HTML pages as files from the "restricted sites" security zone as opposed to the "internet" security zone - that way you can disable all sorts of scripting and activeX objects.
Just:
Tools->Options
Security Tab
Select "Restricted Sites" from the dropdown list.
Cheers,
- Sawbones
Ad in classifieds: Pandora's Box (no box) $5
What if someone were to embed the DeCSS code into a Word macro virus?
"I love you DeCSS!"
But how do you detect what is legitimate behaviour? E.g., a Word document macro may request images be downloaded via http to be displayed in the document. There may be valid reason for this: the .doc file will download faster, allowing you to start reading the text while the images are still loading.
But what if the macro encodes some data that it wishes to pass back to the server in the names of the image files it requests? E.g. instead of requesting grits.jpeg it requests grits_87.jpeg, passing a byte of data back to the server.
Packet sniff all you like - at an IP level you will see packets flying back and forth, at a TCP level you will see a a port 80 connection, at a http level you will see a valid and justified GET command (how do you know that grits_87.jpeg is not the real name of the file?).
The only way that you could determine that the macro was evil was by looking at the source. Now, I have never looked at Word macro coding (I do my best to avoid looking at Word), but presumably like any scripting language you have the source there, you can check out what it is doing.
But this thread is broarder than Word macros, check the subject - 'net access during install'. How can you truely determine what any piece of software is doing with the socket comunications it makes without checking the source?
Packet sniffers are not enough - they tell you what is going on, but not why.
cheers,
G
Ok, so if the Privacy Foundation is so upset about web bugs in MS Word documents, why does their OWN ADVISORY have a web bug in it? My filter (Guidescope) caught this little sucker: http://www.privacyfoundation.org/graphics/1pix.gif
(Awaiting an explanation.)
==
This post sponsored by the American Obstetrics Society:
This is all the more reason that I use pine to read my mail and reject (>dev/null) most html-only mail I receive.
:)
If I get something really important from one of my friends or acquaintances, I might save and look at it in vi... but not before shooting a return message to educate them that I won't read the next one they send in html-only format.
Remember, there is a special place in hell for those who send html mail.
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
Reasons people skip /. articles and go right for the comments:
to get furst
to be the first to pay homage to NP
to look like an idiot in front of one's peers
Much work has gone into making server systems secure. Most UNIX systems, and even NT can be relatively easily set up as a moderately secure web server. FreeBSD's jail() is a nice touch for secure virtual servers, and more esoteric systems like HP's virtual vault can give you more peace of mind yet (I am not convinced it is more secure than a properly configured Linux/BSD machine, but many bosses won't listen to that). However, client side security is a joke at best, and a catastrophy more often.
Any webmaster who has put Word through it paces already fully understands this exploit. The notion of pulling in graphics dynamically from a remote site is old news. Also, since Office 95 all the apps in there stopped being what they were and became development platforms. That's five years ago folks, hardly late breaking news.
.reg files. Mark my words here, we'll be hearing a LOT more about .reg file links in E-Mail and on the web making systems unusable.
.reg files. Through the use of a link or even a re-direct a nasty site can do some pretty damaging stuff with a far smaller file than ILOVEYOU was.
What I can't ever seem to get posted early in an article such as this is a warning about the wonders of the
If you're a Windows user, go into Netscape right freaking now under Edit-Prefs-Navigator-Applications and take out that entry for
On the other hand if you're an IE user... ummm, I hope you remember that browser integration with the OS is a *cough* Good Thing(tm). Keep remembering that through the repair install.
The line must be drawn here. This far. No further.
Sounds like fun but to be honest I hope it doesn't happen. Specifically because it wouldn't set a good example for the cause.
If in the very one dimensional, ignorant and manipulatable public eye, decss was more associated with virus-spreading crackers and script kiddees than it already is, it would only provide ethical ammo to lawsuits that are against it.
I guess the alternative is a polite self-propogating worm that asks the user's permission before it propogates itself. It wouldn't have nearly the same effect, though. :(
===
Mozilla has a problem with this too, and it's in danger of being cast aside because not enough people care about it.
Go cast your vote for bug 28327!
That's exactly what all the "everything is a file" defenders overlook. No inodes, no security settings, other than some all-or-nothing thing. Sure you can make everything LOOK like a file (heck, even Windows does that to some extent), but that doesn't MAKE it a file. If it really is a file, copy that socket to a floppy and let me put it on my machine. Hmm?
Uwe Wolfgang Radu
I think you're not getting it. There's a huge difference. In your vi example, the action you're describing is triggered by the user, or by a macro that the user has set up (and he still has to trigger the macro himself). But can you create a file witha wget command in it, and send it to me, so that when I load it into vi, my computer will run wget? No.
It has nothing to do with subshells or COM. It's about documents becoming applications. Users make choices that can effect their security whenever they run programs or perform actions in programs. With Microsoft apps, now merely viewing a document is an action that can have an impact on his security.
Because of this, Windows is now a system that should only be used by trained experts. Think about that, the next time you're buying a computer for grandma. Will grandma understand that viewing a document that someone sent her, gives the sender power over her computer (and therby power over herself, if she uses the computer for anything important)? Even Linux would be a better choice! (But a Mac would be best. :-)
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
General rule of thumb: If you're doing something on the Internet, you're being logged.
Generally true, but if you are willing to suffer some inconveniences, you *can* significantly raise the level of your anonymity on the web. A simple way is to use Freedom anonymizer (non-free in both senses and no Linux version, but very useful nonetheless). The logging goes on, but logging content-free data is not very useful.
Do something useful: read "Transparent Society" and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).
Thankyouverymuch. I don't like Brin's ideas and would do a lot NOT to live in a society as he describes. I also don't see why you think that tolerance and desire for privacy are opposites or at least negatively correlated. Not to mention that privacy != unaccountability (you probably had anonymity in mind, but even then != stands).
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I think you are comparing apples with oranges here. What does OpenBSD have to do with Windows 98?
OpenBSD is an OS targeted at small to medium size servers which are almost always networked. It is very secure and very stable so it is very good at its job.
Windows 98 is targeted at PCs that are connected to the Internet using a modem. It does not run any services so it is quite secure in that aspect. It is very easy to install. It runs thousands of applications and games (which all install with minimum fuss). You simply cannot do all that with OpenBSD (yet?). Having a BSOD once every few weeks while surfing the Internet or editing a document in Word is a compromise that most people are willing to make (and do make), since the alternative is to become a CS major first and then install Linux/OpenBSD/whatever and then not being able to run the applications that you are familiar with.
As for your argument with Microsoft putting bugs so that they can then sell upgrades with fewer bugs, this is just your paranoia talking. I am not saying that if their QA as more strict they couldn't produce a more stable OS but this is a long way from saying that they put bugs there on purprose. Besides look at the deterioration in performance in all the windows releases:
Windows 98 less stable than Windows 95 less stable than Windows 3.11
Windows 2k less stables than Windows NT4 less stables than Windows NT 3.51