On Fri, Jul 05, 2002 at 10:59:01AM -0400, Tom Neff wrote:
> This is the kind of "assumption gap" that list admins need to watch out for
> IMHO. Many listmembers have little or no choice in the MUA they use on a
> daily basis, because they are non-privileged users on departmentally
> managed PC's or mainframes, or otherwise subject to software policies over
> which they exercise no control. Many more folks find themselves with even
> less choice in the "MUA's of opportunity" they use in temporary
> environments like airports, PDA's, in-laws' homes, overseas etc.
I find this argument analogous to advocating that we should allow everyone
to drive Corvairs because they are the only vehicles available to them --
with reckless disregard not only for their own safety, but for everyone
they come into contact with.
Removing the impetus for people to use sensible email clients (of which
a plethora are available) simply means that will continue to use
braindamaged software like O/OE, because they can. This is bad for them.
This is bad for us. This is bad for the Internet. The only beneficiaries
of this are (a) Microsoft and (b) the incompetent network admins who
choose to provide Microsoft software because it is the path of
least resistance.
By accomodating them, we shift the consequences of their bad decisions
onto us and our users, neither of whom should have to shoulder this
responsibility.
> What I call elitism is the "get a real mailer or get off my list" attitude.
I hardly call asking people to please use software that complies with
the relevant standards and which does not pose an active threat to other
users "elitist". Sheesh, that's a pretty low place to set the bar, and
anybody who can't (or won't) clear that should go plug themselves into
a network where standards, interoperability, and cooperation don't matter. [1]
> Nevertheless, when properly configured (which almost nobody does) OE, at
> least, can be used safely. I end up stuck with it maybe twice a year and
> escape to tell the tale.
I don't believe this to be true. New O/OE problem are being discovered
at a rate much higher than fixes are being issued. Here's a *tiny* sample
culled by a cursory, hasty search of Bugtraq archives:
One of the Outlook overflows
Outlook 98 Security "Feature"
Outlook 98 allows spoofing internal users
Minor privacy exploit in Outlook Express
Outlook Express Win98 bug
Outlook denial of service
MS Outlook alert : Cuartango Active Setup
Outlook Express 5 vulnerability - Active Scripting may read email
IE and Outlook 5.x allow executing arbitrary programs using .eml
Hide Drives does not work with OUTLOOK 98.
Overflow in Outlook Express 4.* - too long filenames with graphic
Eudora Pro & Outlook Overflow - too long filenames again
Microsoft to release a new Outlook Security patch
Microsoft Outlook (Express) bug..
Microsoft Outlook Malicious URL Vulnerability
Circumventing Outlook Security Update File Download Security With Fake Attachment
Aaron Drew - Security Advisory: Buffer Overflow in MS Outlook &
Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail
Buffer Overflow in MS Outlook Email Clients
Outlook exploit fix opens old hole?
MS Word and MS Access vulnerability - executing arbitrary
Outlook winmail.dat
vCard DoS on Outlook 2000
IE 5.5/Outlook Express security vulnerability - GetObject()
IE 5.5/Outlook security vulnerability
IE 5.5/Outlook java security vulnerability - reading arbitrary
IE 5.x/Outlook allows executing arbitrary programs using .chm
A subject line buffer overflow in Outlook Express
EML Content Spoofing and Informed Consent
XML scripting in IE, Outlook Express
SECURITY.NNOV: Outlook Express address book spoofing
Outlook 2000 Rich Text information disclosure
carol clickme: Outlook Express 6.00
FREAK SHOW: Outlook Express 6.00
Buffer over flow on Outlook express for Macintosh
Microsoft's Outlook Express 6 "E-mail attachment security" Flawed
Small flaw in Outlook Express
PGP Plugin for Outlook can send unencrypted messages
Outlook will see non-existing attachments
Questionable security policies in Outlook 2002
How Outlook 2002 can still execute JavaScript in an HTML email message
HELP.dropper: IE6, OE6, Outlook...lookOut
Authentication with RSA SecurID and Outlook web access
Outlook Express Attach Execution Exploit (img tag + innerHTML + TIF dos name)
More fun with html mail: Outlook Express, Internet Explorer, Other etc
dH team & SECURITY.NNOV: special device access, information leakage and DoS in Outlook Express
Update and comments on the MS02-023 patch, holes still remain
Merely attempting to read, understand, and patch O/OE to deal with this
is a significant task. (Doubly so given that some of the issued patches
break other issued patches.) I assert that it's far easier for J. Random
User to simply install another, more sensible mail client than to deal
with all of this.
> What you call the "point and drool crowd" can easily include the CEO of a
> major corporation, or an opera singer of world reknown, or your wife's
> mother. Pulling the BOFH act with people who have real lives is what I
> think gives us an *actual* bad name, as opposed to the inside-baseball "bad
> name" of daring to be too accommodating.
I disagree. I think we serve the Internet, ourselves, and our users very
poorly by falling into the populist trap of assuming that everyone belongs
on the Internet using whatever software they wish. They don't.
We require certain minimum standards for some activities in our society:
we do this because we recognize that permitting just anyone to engage
in these activities without a modicum of training and/or demonstrated
ability poses an unacceptably high risk to society (and to them).
Examples include:
- driving a motor vehicle
- providing medical care
- flying an aircraft
- providing legal counsel
- designing a bridge
- piloting a ship
- and so on
This is a diverse list: some of the minimum standards are achievable
by nearly anyone (getting a driver's license) while others are much
more difficult. One could even argue that some standards are so low
as to be moot: perhaps. But the point is that they all represent some
attempt by society to provide at least token assurance that the persons
engaging in these activities have a shred of ability to do so -- because
we'd be awfully annoyed, inconvenienced, and injured if planes fell out
of the sky every few hours or bridges collapsed once a week and so on.
Yet when someone argues that a minimum standard for participation
in the Internet ("don't use a mail client which is best known for
its security holes and virus-propagation facilities") this is somehow
"elitist". It's no such thing. It's merely the extension of this
same reasoning to a new area (which we do from time to time as we
invent new areas for ourselves).
Look, I don't care (as a mailing list manager [2]) if people want to run
Unix, Linux, MacOS, Windows, BeOS, whatever and participate in the mailing
lists. What I care about is that they do so in a way that reflects
some modicum of cooperation with the Internet community ("don't spew viruses
all over the place") and some modicum of basic netiquette skills ("don't
top-post, don't use HTML"). While it's remotely *possible* for someone
running O/OE to do this -- in the same way that it's remotely *possible*
for a highly skilled mechanic to modify a Corvair to the point where it's
safe -- it's way, way beyond the reach of nearly everyone else.
The answer is thus not to accomodate it, but exert pressure to change it.
And that's not "elitist", any more than saying "uh...you probably want
to drive something other than that Corvair..." is "elitist".
Thought experiment: what would happen if tomorrow every mailing list
manager on the planet banned messages generated with O/OE? How long
do you think it would take most people to shake off the inertia and
get rid of it then? (I don't know: I pose this as an afterthought that
just occured to me, and admittedly, I haven't thought it through.)
---Rsk
Rich Kulawiec
rsk@magpage.com
[1] Maybe there should be a Microsoft-only network. It's arguable
that's this would be in everyone's best interest. ;-)
[2] I certainly care as an individual. Use of Microsoft products is
both unprofessional and unethical.
Follow-Ups:
References:
|
|
