RE: [fw-wiz] Re: Anybody Recognize These Uploads?
From: Bill Royds (broyds@rogers.com)
Date: 01/05/03
- Next message: Paul D. Robertson: "Re: [fw-wiz] Re: Anybody Recognize These Uploads?"
- Previous message: Christopher Hicks: "Re: [fw-wiz] Re: Anybody Recognize These Uploads?"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] Re: Anybody Recognize These Uploads?"
- Next in thread: ravi: "[fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bill Royds" <broyds@rogers.com> To: "Paul D. Robertson" <proberts@patriot.net>, "Noonan, Wesley" <Wesley_Noonan@bmc.com> Date: Sun Jan 5 12:00:18 2003
I manage and moderate a local environmental mailing list. In general the rule is text messages, so I convert HTML messages sent to me into text before forwarding them to the list. But occasionally a message arrives that needs to use HTML ( a poster for a meeting for people to distribute, with images and maps, for example).
But I never need to send executable content in an e-mail. So there is a place for static HTML in emails, but there is never any need for JavaScript or inclusion of external content.
If there were settings "Do not fetch external files" and "Do not execute any scripts or attachments", then perhaps Outlook would be safer. As it is, Microsoft has all or nothing security. Never render anything, or render everything. Unfortunately that seems all to often to be a Microsoft approach to security. We depend on Microsoft software not having bugs as it determines whether things are safe. Putting all your trust in bug-free code is not the way to security.
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Paul D.
Robertson
Sent: Sun January 05 2003 11:19
To: Noonan, Wesley
Cc: 'Christopher Hicks'; R. DuFresne;
firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Re: Anybody Recognize These Uploads?
On Sat, 4 Jan 2003, Noonan, Wesley wrote:
> users want. As functionality is added, because customers want it, so are
> bugs and vulnerabilities. The sad thing is, if the users do find an
Let's just dispell this myth. Features in a lot of software aren't added
because of customer wants, they're added as marketing feature draws[1], or
for other business reasons by vendors. Yes, occasionally a user-requested
feature get added, but mostly it's companies trying to push in a
particular direction. Lots of companies asked for a version of Word that
wouldn't do macros once upon a time. Lots of companies now would like a
version of Outlook that can't render HTML. I think I know 2 people who
use HTML in e-mail. I don't see a groundswell requiring it. I know a lot
of companies, representing hundreds of thousands of users who'd be really
happy with a copy of Outlook that simply wasn't capable of rendering HTML
(the client, not funky filtering between the client and the server, and
not server-side stuff.) While I'm dreaming, how about a copy of Exchange
that isn't capable of auto-HTMLing mail originating on a client set to do
plain text? You wouldn't believe the posts I reject here because the
original author isn't able to control the formatting of their own
messages.
While we're in the dragging parents into it mode (Hi Cat!)- my Dad uses
Outlook (or Outlook Express) at work, but I've gotten him to Pegasus at
home (which happened back when there was a lot of autoexecuting preview
pane stuff going on with Outlook Express.) He knows how to send and
recieve mail, and he's happy- initially he wanted Outlook Express at home,
because he knew the interface, but he went and loaded Pegasus on his brand
new computer last week (quite a feat, I can assure you) instead of using
Outlook Express, because now he's familiar enough with Pegasus' interface
that there's nothing "featureful" that's significantly different from
Outlook Express to have him "need" Outlook Express.
It's a mail client, there's just not that much to mail. Tacking on stuff
until it bloats past usability/security isn't going to help. At some
point, the user population will understand that it's possible to *finish*
software. That there's no gain to them for some change due to someone's
idea that the market will flock to a competitor if they don't change
something every quarter or two.
Right now, the market is being manipulated by vendors that want to boost
quarterly earnings reports by getting people to change software
frequently. That's the driver, not the user, not the feature, pure and
simple artificial economy generation.
Personally, I can only just remember the last time a word processor added
a feature worth upgrading for (WYSIWYG and compound documents were both
worth-while.)
Paul
[1] While there's some correlation between marketing features and
customers, it's rarely customer driven in the mass-market software
industry. That's because a significant portion of customers would be
perfectly happy with "don't add feature $Foo," and I'd hazard to guess in
most cases that portion would be larger than the portion who want feature
$Foo.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Paul D. Robertson: "Re: [fw-wiz] Re: Anybody Recognize These Uploads?"
- Previous message: Christopher Hicks: "Re: [fw-wiz] Re: Anybody Recognize These Uploads?"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] Re: Anybody Recognize These Uploads?"
- Next in thread: ravi: "[fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
