On Fri, 31 Jan 1997, Russ wrote:
> Wait a second. Why should this exploit be treated any differently than
> any other misconfiguration exploit? Why is the fact that someone
> downloaded an application from an unknown untrusted vendor and found it
> to be malicious a condemnation of ActiveX?
Russ, I think that we're off two different views when it comes to
There is one school of thought which says, if a technology meets its
specifications, and if those specifications are well-known, then it is the
user's responsibility to weigh the impact of this technology and wield it
with whatever impunity she thinks proper, given her own personal
requirements. This, I take it, to be your general opinion.
There is another school of thought which says:
- Microsoft Explorer will soon be the default _interface_ to the
most popular operating system.
- most users are clueless.
- given the former two, the ability to perform random actions with
a user's Quicken merely by luring them to a web page threatens
This is my general opinion.
> 1. If the default IE implementation existed on the exploited machine,
> they were informed of the company name who signed the certificate, and
> were asked to confirm acceptance of the object. In which case, they
> chose to trust an untrustworthy company, why is that the fault of
It's my fault for not protecting them from a danger which has a severe and
direct impact on my coworkers' finances, and upon my job.
> 2. If they previously had told IE to accept all signed certificates,
> then they chose to leave their machine wide open, again, why is that
> ActiveX's fault?
It's not. ActiveX is completely absolved in that case, as is a chemical
plant which gets all the residents of it's adjoining neighborhoods to
sign waivers before it spews 400,000 tons of DDT into the groundwater.
I don't want my CEO, our database administrator, or our secretary to be
affected by either of these happenstances, which is why I am now turning
off ActiveX behind our firewall.
> As we always say about Firewalls, if the user chooses to ignore or be
> ignorant of the risks of the configuration their using, nothing can
> protect them.
True. If a user is aggresively clueless, then at some point they will be
hurt to some degree. Whether it be warez-kiddies stupid enough to infect
their machines (and the network) with viruses, or whether it be web
browsers so enamored with full multimedia when reading up on the latest
warez sites, stupid people do stupid things which harm themselves and
That having been said, there are steps which I can take to reduce the
marginal probability of complete annihilation.
The CBA WRT ActiveX offers an insufficient CYA factor to warrant continued
support for this technology within our organization.
Todd Graham Lewis Mindspring Enterprises tlewis @