What was I thinking? If the user's script is using a seperate database for addressing a newsletter; then the script has no business accessing Outlook's Address book - so no need to disable the dialog. It will be getting its addresses from a different source. A virus would need to know how to find that other source, so that shouldn't be a risk for an "I Love You" variant. I just skipped a track when thinking that one through.
On a related item... I like the idea of the dialog box before a script can access the address book. But, can the dialog be disabled by those who use scripting for sending newsletters to all the addresses in a seperate database? I can't find any information on that.
I agree that it's just as big of a security risk; but it does add an extra step that will at least make it more difficult for the trully computer-challenged to inadvertantly launch the virus (and I've worked around several people in this category). While I have SR-1 installed, I honestly hadn't noticed that change (I never launch directly from Outlook, so never saw the block - even then, I call the sender before running if I hadn't been expecting an attachment from them).
Lets face it, even with ".exe" files not being allowed as an e-mail attachment, if you send an e-mail that says to use ftp to get the file, you'll still get someone fool enough to download and run the thing. I still see the patch as an attempt to patch the user, rather than the software (mail client and OS).
Have VBScripting default to disabled, all scripting types disabled by default within mail clients, and secure all program files so they can't be modified by a user-level executable, then the security issues of the software would be much better addressed. Two of these can be addressed by MS now and while not eliminating virii, would at least limit certain types, as well as limiting the number of machines that could be potentially affected (only those who had a need to activate scripting would be at risk). The third requires a fundamental design philosophy change and an OS rewrite, and is unlikely to be implemented anytime soon.
Perhaps my phrasing could have been better. I should have said launched rather than ran.
By saying "if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure" I was primarily addressing from what point it was launched. Double clicking on an attachment to launch it, for the purposes of my post, should be read as running it from within Outlook. Saving it to a drive, then launching it from there, was what I meant by running it externally. I realize that the VBScripting is an external application; one which I believe (although it has been argued against this by others) should be disabled by default and only activated by/for those who need it.
I would also like to see all ActiveX scripts to be disabled by default from within Outlook; the "secure zone" setting still allows those unless you modify it. But that's a different issue.
It is a blatant overreaction, and limiting the attachments doesn't address the underlying security flaws; it only hides them. Prevent executables from running directly from within Outlook, or if they are ran, greatly limit their functionality if they are ran from within Outlook. For instance, if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure and not be given access to the Outlook Address book, and should not be able to modify other files on the system.
There will be a loud scream of protest from users who download this patch. They will want to be able to send many of these file types via e-mail. MS will, of course, provide an uninstall for their patch, say "I told you so, you really do want the full level of functionality", and then go on happily ignoring security issues, always refering back to this failed attempt as the reason (ie: "we tried implementing greater security, users hated it, so we removed it").
I thought the law was more generic than that. Something along the lines of being illegal to profit by selling your story (including books, movie scripts, etc). I think it would be a stretch to include his lectures, but I suppose it depends upon how his lectures were presented.
Has anyone heard one of his lectures? Does he discuss his story, does he describe abuses of power by gov't, does he discuss technology in general, or is it as described "educate others about protecting themselves against cyberspace intrusions"? If it's any of the last three, then I can't see how they can legally restrict him on this.
This sounds more like the government being upset that he found a source of income greater than what the judge expected "she thought Mitnick would be unable to earn anything above minimum wage". Either way, this one's bound to end up in court.
Too bad those who don't understand this are the least likely to go to that site. Oh well, at least I have a URL to post in message boards that might help get the point accross.
If they do add the modem and hard drive to the US version, won't that effectively split the market for the game designers? Now they can either write a game that doesn't use the modem and drive storage, so that international release is limited to PAL/NTSC changes and language translation. Or, they can write the game to use the modem and hard drive in the US, and have to dummy down the game or not release it at all internationally.
It seems that for game platforms, creating multiple configurations will fragment your market and give an advantage to a competitor who has the same configuration accross all markets.
If they do add the modem and hard drive, I hope they make a low cost add-on available to the Japan version that is functionally compatible so that they don't suffer from having multiple variants of the console in different markets.
That might be the average of new machines being sold; but there's no way that 600Mhz is the average user's system. At least, not their home system. Lets face it, few apps require PC power over 200Mhz; even fewer over 400Mhz. Most home users get more bang for their buck by upgrading their video cards.
As for the Doom reference; maybe they just used that since it's one of the most widely recognized 3D games among the non-gaming public?
Are you referring to the PIII erratum that caused multiple PIII systems to have potential conflicts when accessing memory simultaneously? A BIOS update to fix that came out middle of 1999. Issue resolved, old news, not a problem anymore.
Unfortuneately, this law has been widely misunderstood, both by its supporters and those opposed. Read again what Washington State's Unsolicited Commercial E-mail law forbids:
False information identifying the point of origin of the message or that hides the true origin of the sender (False Header)
False or misleading information in the subject line (False Subject Line)
A third party's e-mail address (domain name) without permission
If a person wishes to send unsolicited commercial e-mail, they are still allowed to do so freely within Washington. They must simply use a legitimate e-mail address which they are authorized to utilize, and not use a subject line which may mislead a person to think it's from a long lost friend, a reply to a prior message, or some other similarly misleading subject.
Unlike some anti-spam measures in other states, this law simply requires that those who send e-mail to recipients within Washington state follow ethical business practices. Nothing more. It then provides a means for the recipient (and the state) to enforce it (at least, to enforce it against any organization which itself has assets within the USA). Ethical business practices are not, nor have they ever been, an excessive burden on business.
My favorite example of the flawed logic on the side of pro-filtering is this one:
For Gary Glenn, president of the family association's state chapter, the issue is simple. "Our only concern is providing maximum protection for children," he says, citing a recent case in Muskegon, Mich., where a girl was raped at a library with full Internet access.
While it's sad and unfortuneate that a girl was raped at a library, the logic in the argument is flawed. It could equally read that the girl was raped at a library that carried Winnie the Pooh. The Muskegan Library points out that the man who committed the act didn't even access the internet; there is absolutely no evidence to support the theory that the library having unfilterred internet access contributed in any way. Yet in the minds of the pro-filterring groups, this was a direct cause.
Remember, if this vote comes to your town, these are the types of flawed logic and half-truths that you'll need to fight.
On a side note to Jamie: Does the opposition have a website? Is there a location that has a collection of the counter-arguments used to fight the misinformation?
If I buy a DVD, and travel to the UK, why should I not be able to play my DVD on a friend's DVD player in that zone? The DVD was purchased, it should be completely legal.
To a limited extent, I can understand that it can slow pirating; since the pirates must buy an original to copy from each zone in which they plan to sell it. However, for an industry making the kind of money found in piracy, do you really think that having to buy seperate originals for each zone's encoding is really going to stop anything? It's as absurd as the concept that encoding slows pirating. The pirates down't care about the encoding, they copy the fully encoded data and burn it back onto a disk identically.
The only pirate slowed by these techniques are the relatively low tech/low volume home copier. Not an adequate offset to the effect of preventing the consumer from freely making legal use of what they purchased.
Here in Washington state, we have had a law against unsolicited commercial e-mail since 1998. Washington's law does not flatly prohibit the sending of unsolicited e-mail, but it does make it illegal in Washington to send an unsolicited commercial e-mail using: (a) False information identifying the point of origin of the message or that hides the true origin of the sender (False Header). (b) False or misleading information in the subject line (False Subject Line). (c) A third party's e-mail address (domain name) without permission.
There is an in-state registry, where you can identify your e-mail address as being in WA state (not really effective, but it at least handles an initial hurdle on filing claims later).
A local ISP has provided a sort of "how-to" on chasing down the spammers and making money. One of the more interresting link is a step-by-step guide to getting the spammers to pay.
These laws can be effective; the catch is that it's time consuming to follow thru on them. In Colorado, at only $10 per message, it won't be worthwhile for most individuals to invest their time. Although the ISP's stand to make quite a bit if they can satisfy the courts that the spammer has reasonable knowledge or means to learn that the destination addresses were in that state.
Still, these laws don't do too much against non-US spammers. Many of them couldn't care less about a state's law since they're relatively safe from any prosecution.
An addendum to the story: According to this story on ZDNet (which also ran the open source Windows story earlier), Microsoft is denying that openning up the code is an option.
For some odd reason, the "submit story" link wasn't working as of 9:15pm PST - so I was unable to submit this as a news update.
I was over at Tom's reading the article when the server got overloaded. Since I couldn't do anything there, decided to check out Slashdot... ahhhhh, now I see what went wrong over there.:)
Tom has a paranoid streak when it comes to Intel; but he does make some very good points about their repeated mistakes on the i820, Rambus, etc. If AMD had made those types of blunders, they would've been out of business by now. Only Intel has the clout to even attempt to recover from such public fiascos. And now if (as has been suggested by Tom and others) that the Itanium will be a complete flop, then Intel could very easily lose its crown to AMD or even Transmeta.
On AMD - why does he give such hope to Sledgehammer? It's vaporware. It should be shown on the roadmap, and that's about it.
On Transmeta - I'll wait to see how well actual performance is before I jump for one. It'll be great for my PDA, maybe for a laptop, but for a main desktop system I want to see how efficiently it can emulate an x86 before I make any plans around one. It has promise, but I'm in "wait and see" mode.
I absolutely love AOE and now, AOE2. Really, it's the only reason I have Win98 still in the house. Problem is, with it being distributed by Microsoft, it's not real likely to be ported to Linux. Unless, of course, MS is broken up - a "baby-bill" that is simply in the market to sell it's product, and not worrying about its OS interests would be much more willing to port their games. Ahhhh - finally, a reason to give a rip what happens in the trial - a port of AOE! One can dream, anyway:)
High speed internet connections have become a selling point for universities that have it in the dorms; and a major stumbling block for those universities that don't.
Now, after investing who knows how much, they want to take away a large degree of that usability? These systems clearly have the bandwidth, so they can't claim that all the non-educational activity is stealing from students involved in educational research. Just another case of someone trying to superimpose his/her morals onto society. As long as no crime is being committed, the students should have full access to the internet.
As for that visitation thing; get real. At my school, some dorm halls had that, and those who wanted it could live there, but they always had a tougher time filling those rooms than those on the rest of campus. Apply it to the full University system, and off campus landlords will be rejoicing.
Stinks to be roadkill on the information superhighway, doesn't it? Your best bet is to write a letter to @home customer service complaining about their lack of action which resulted in your being banned. In the meantime, you can register at dejanews.com (not the best means of navigating the news groups).
Oh well, I'm probably better off not having to go thru the court system. Still, nice to know the law's there. Now if congress or the white house would just write one for the whole country (preferably even stricter than the WA one - which doesn't make spam illegal; just makes misrepresentation in the header or subject illegal).
Uh-oh, now you've done it, you explained it to the masses.
Now 1337-5p34k is going to feel the slashdot affect. Too many people can read it, so time to accelerate the word morphing process. And there's nothing more dangerous (?) than having the entire h4X0r community irritated at you for explaining their language.
Slashdot Mirror
What was I thinking? If the user's script is using a seperate database for addressing a newsletter; then the script has no business accessing Outlook's Address book - so no need to disable the dialog. It will be getting its addresses from a different source. A virus would need to know how to find that other source, so that shouldn't be a risk for an "I Love You" variant. I just skipped a track when thinking that one through.
On a related item ... I like the idea of the dialog box before a script can access the address book. But, can the dialog be disabled by those who use scripting for sending newsletters to all the addresses in a seperate database? I can't find any information on that.
I agree that it's just as big of a security risk; but it does add an extra step that will at least make it more difficult for the trully computer-challenged to inadvertantly launch the virus (and I've worked around several people in this category). While I have SR-1 installed, I honestly hadn't noticed that change (I never launch directly from Outlook, so never saw the block - even then, I call the sender before running if I hadn't been expecting an attachment from them).
Lets face it, even with ".exe" files not being allowed as an e-mail attachment, if you send an e-mail that says to use ftp to get the file, you'll still get someone fool enough to download and run the thing. I still see the patch as an attempt to patch the user, rather than the software (mail client and OS).
Have VBScripting default to disabled, all scripting types disabled by default within mail clients, and secure all program files so they can't be modified by a user-level executable, then the security issues of the software would be much better addressed. Two of these can be addressed by MS now and while not eliminating virii, would at least limit certain types, as well as limiting the number of machines that could be potentially affected (only those who had a need to activate scripting would be at risk). The third requires a fundamental design philosophy change and an OS rewrite, and is unlikely to be implemented anytime soon.
Perhaps my phrasing could have been better. I should have said launched rather than ran.
By saying "if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure" I was primarily addressing from what point it was launched. Double clicking on an attachment to launch it, for the purposes of my post, should be read as running it from within Outlook. Saving it to a drive, then launching it from there, was what I meant by running it externally. I realize that the VBScripting is an external application; one which I believe (although it has been argued against this by others) should be disabled by default and only activated by/for those who need it.
I would also like to see all ActiveX scripts to be disabled by default from within Outlook; the "secure zone" setting still allows those unless you modify it. But that's a different issue.
It is a blatant overreaction, and limiting the attachments doesn't address the underlying security flaws; it only hides them. Prevent executables from running directly from within Outlook, or if they are ran, greatly limit their functionality if they are ran from within Outlook. For instance, if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure and not be given access to the Outlook Address book, and should not be able to modify other files on the system.
There will be a loud scream of protest from users who download this patch. They will want to be able to send many of these file types via e-mail. MS will, of course, provide an uninstall for their patch, say "I told you so, you really do want the full level of functionality", and then go on happily ignoring security issues, always refering back to this failed attempt as the reason (ie: "we tried implementing greater security, users hated it, so we removed it").
I thought the law was more generic than that. Something along the lines of being illegal to profit by selling your story (including books, movie scripts, etc). I think it would be a stretch to include his lectures, but I suppose it depends upon how his lectures were presented.
Has anyone heard one of his lectures? Does he discuss his story, does he describe abuses of power by gov't, does he discuss technology in general, or is it as described "educate others about protecting themselves against cyberspace intrusions"? If it's any of the last three, then I can't see how they can legally restrict him on this.
This sounds more like the government being upset that he found a source of income greater than what the judge expected "she thought Mitnick would be unable to earn anything above minimum wage". Either way, this one's bound to end up in court.
Too bad those who don't understand this are the least likely to go to that site. Oh well, at least I have a URL to post in message boards that might help get the point accross.
If they do add the modem and hard drive to the US version, won't that effectively split the market for the game designers? Now they can either write a game that doesn't use the modem and drive storage, so that international release is limited to PAL/NTSC changes and language translation. Or, they can write the game to use the modem and hard drive in the US, and have to dummy down the game or not release it at all internationally.
It seems that for game platforms, creating multiple configurations will fragment your market and give an advantage to a competitor who has the same configuration accross all markets.
If they do add the modem and hard drive, I hope they make a low cost add-on available to the Japan version that is functionally compatible so that they don't suffer from having multiple variants of the console in different markets.
That might be the average of new machines being sold; but there's no way that 600Mhz is the average user's system. At least, not their home system. Lets face it, few apps require PC power over 200Mhz; even fewer over 400Mhz. Most home users get more bang for their buck by upgrading their video cards.
As for the Doom reference; maybe they just used that since it's one of the most widely recognized 3D games among the non-gaming public?
Actually, that's ZD-AU's copy of ZD-USA's copy of the Wall Street Journals story from the 10th.
For those who have trouble reaching the site, here's the ZDnet-USA copy of the story.
Where I work, he who requests/suggests something just volunteered to head up its development. So ... how's that codec design coming? :)
Are you referring to the PIII erratum that caused multiple PIII systems to have potential conflicts when accessing memory simultaneously? A BIOS update to fix that came out middle of 1999. Issue resolved, old news, not a problem anymore.
FYI, your link doesn't work externally, it gives "you do not have permission to view that page".
... is that wrong? :)
Here's a copy of the policy that is available for external viewing: Policy AD52 LINKS TO OR FROM PENN STATE WEB PAGES
For some reason, I just LOVE making an external link to that PENN state policy
- False information identifying the point of origin of the message or that hides the true origin of the sender (False Header)
- False or misleading information in the subject line (False Subject Line)
- A third party's e-mail address (domain name) without permission
If a person wishes to send unsolicited commercial e-mail, they are still allowed to do so freely within Washington. They must simply use a legitimate e-mail address which they are authorized to utilize, and not use a subject line which may mislead a person to think it's from a long lost friend, a reply to a prior message, or some other similarly misleading subject.Unlike some anti-spam measures in other states, this law simply requires that those who send e-mail to recipients within Washington state follow ethical business practices. Nothing more. It then provides a means for the recipient (and the state) to enforce it (at least, to enforce it against any organization which itself has assets within the USA). Ethical business practices are not, nor have they ever been, an excessive burden on business.
My favorite example of the flawed logic on the side of pro-filtering is this one:
For Gary Glenn, president of the family association's state chapter, the issue is simple. "Our only concern is providing maximum protection for children," he says, citing a recent case in Muskegon, Mich., where a girl was raped at a library with full Internet access.
While it's sad and unfortuneate that a girl was raped at a library, the logic in the argument is flawed. It could equally read that the girl was raped at a library that carried Winnie the Pooh. The Muskegan Library points out that the man who committed the act didn't even access the internet; there is absolutely no evidence to support the theory that the library having unfilterred internet access contributed in any way. Yet in the minds of the pro-filterring groups, this was a direct cause.
Remember, if this vote comes to your town, these are the types of flawed logic and half-truths that you'll need to fight.
On a side note to Jamie: Does the opposition have a website? Is there a location that has a collection of the counter-arguments used to fight the misinformation?
If I buy a DVD, and travel to the UK, why should I not be able to play my DVD on a friend's DVD player in that zone? The DVD was purchased, it should be completely legal.
To a limited extent, I can understand that it can slow pirating; since the pirates must buy an original to copy from each zone in which they plan to sell it. However, for an industry making the kind of money found in piracy, do you really think that having to buy seperate originals for each zone's encoding is really going to stop anything? It's as absurd as the concept that encoding slows pirating. The pirates down't care about the encoding, they copy the fully encoded data and burn it back onto a disk identically.
The only pirate slowed by these techniques are the relatively low tech/low volume home copier. Not an adequate offset to the effect of preventing the consumer from freely making legal use of what they purchased.
Here in Washington state, we have had a law against unsolicited commercial e-mail since 1998. Washington's law does not flatly prohibit the sending of unsolicited e-mail, but it does make it illegal in Washington to send an unsolicited commercial e-mail using: (a) False information identifying the point of origin of the message or that hides the true origin of the sender (False Header). (b) False or misleading information in the subject line (False Subject Line). (c) A third party's e-mail address (domain name) without permission.
There is an in-state registry, where you can identify your e-mail address as being in WA state (not really effective, but it at least handles an initial hurdle on filing claims later).
A local ISP has provided a sort of "how-to" on chasing down the spammers and making money. One of the more interresting link is a step-by-step guide to getting the spammers to pay.
These laws can be effective; the catch is that it's time consuming to follow thru on them. In Colorado, at only $10 per message, it won't be worthwhile for most individuals to invest their time. Although the ISP's stand to make quite a bit if they can satisfy the courts that the spammer has reasonable knowledge or means to learn that the destination addresses were in that state.
Still, these laws don't do too much against non-US spammers. Many of them couldn't care less about a state's law since they're relatively safe from any prosecution.
An addendum to the story: According to this story on ZDNet (which also ran the open source Windows story earlier), Microsoft is denying that openning up the code is an option.
For some odd reason, the "submit story" link wasn't working as of 9:15pm PST - so I was unable to submit this as a news update.
I was over at Tom's reading the article when the server got overloaded. Since I couldn't do anything there, decided to check out Slashdot ... ahhhhh, now I see what went wrong over there. :)
Tom has a paranoid streak when it comes to Intel; but he does make some very good points about their repeated mistakes on the i820, Rambus, etc. If AMD had made those types of blunders, they would've been out of business by now. Only Intel has the clout to even attempt to recover from such public fiascos. And now if (as has been suggested by Tom and others) that the Itanium will be a complete flop, then Intel could very easily lose its crown to AMD or even Transmeta.
On AMD - why does he give such hope to Sledgehammer? It's vaporware. It should be shown on the roadmap, and that's about it.
On Transmeta - I'll wait to see how well actual performance is before I jump for one. It'll be great for my PDA, maybe for a laptop, but for a main desktop system I want to see how efficiently it can emulate an x86 before I make any plans around one. It has promise, but I'm in "wait and see" mode.
I absolutely love AOE and now, AOE2. Really, it's the only reason I have Win98 still in the house. Problem is, with it being distributed by Microsoft, it's not real likely to be ported to Linux. Unless, of course, MS is broken up - a "baby-bill" that is simply in the market to sell it's product, and not worrying about its OS interests would be much more willing to port their games. Ahhhh - finally, a reason to give a rip what happens in the trial - a port of AOE! One can dream, anyway :)
High speed internet connections have become a selling point for universities that have it in the dorms; and a major stumbling block for those universities that don't.
Now, after investing who knows how much, they want to take away a large degree of that usability? These systems clearly have the bandwidth, so they can't claim that all the non-educational activity is stealing from students involved in educational research. Just another case of someone trying to superimpose his/her morals onto society. As long as no crime is being committed, the students should have full access to the internet.
As for that visitation thing; get real. At my school, some dorm halls had that, and those who wanted it could live there, but they always had a tougher time filling those rooms than those on the rest of campus. Apply it to the full University system, and off campus landlords will be rejoicing.
Stinks to be roadkill on the information superhighway, doesn't it? Your best bet is to write a letter to @home customer service complaining about their lack of action which resulted in your being banned. In the meantime, you can register at dejanews.com (not the best means of navigating the news groups).
I keep watching for a spammer to try getting me - I would love to collect $500 from them for violating the WA state unsolicited commercial e-mail law.
Oh well, I'm probably better off not having to go thru the court system. Still, nice to know the law's there. Now if congress or the white house would just write one for the whole country (preferably even stricter than the WA one - which doesn't make spam illegal; just makes misrepresentation in the header or subject illegal).
Uh-oh, now you've done it, you explained it to the masses.
Now 1337-5p34k is going to feel the slashdot affect. Too many people can read it, so time to accelerate the word morphing process. And there's nothing more dangerous (?) than having the entire h4X0r community irritated at you for explaining their language.
Fur57 Po57 $ucKa$
... besides, the article says to post that. Oh, wait - I'm using correct grammar - DAMN! There goes that Karma marketing magnet.
Couldn't resist