Politech mailing list archives
FC: A sysadmin's view on HTML-Javascript email problems
From: Declan McCullagh <declan () well com>
Date: Tue, 06 Feb 2001 00:49:40 -0500
********* The most concise argument yet for ditching your Windows mail client: s/<script language="Java/w+.*?">.*?<\/script>//gis -Declan PS: If you don't get the not-quite-a-joke above, RTFM at: http://www.perl.com/pub/doc/manual/html/pod/perlfaq6.html ********* Date: Mon, 05 Feb 2001 14:35:58 -0500 To: declan () well com From: Larry Poos <poosld () ec rr com> Subject: Re: If you forward HTML email, it could be eavesdropped In-Reply-To: <5.0.2.1.0.20010205105538.00a686a0 () mail well com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-UIDL: f1f37b01f8629a2095bae20ab30aa34a At 10:55 2/5/01 -0500, You Scribbled: ----[ BEGIN QUOTE ]---- :"Email wiretapping" seems a little overblown, but this is bad news. : :The new netiquette: :1. Friends don't send friends HTML email :2. Friends don't accept HTML email from friends :3. Friends don't let friends use Outlook or Navigator to read email :4. If you or a friend must break the above three rules, then disable Javascript :5. If you or a friend must break the above four rules, remove Javascript :code from the HTML emil you forward (ask a geek for help) : ----[ END QUOTE ]---- Rules 1-3 should IMO become law and company policy.Numbers 4 and 5 are pipedreams for these reasons; A. Most users (in my experiance) don't know how to disable Javascript. B. Most users (again in my experiance) won't remove the forwarding address from a two line message, resulting in 50 sets of >'s and pages of forwaring information. Why would they remove <SCRIPT> code? C. Most users have no knowlege of HTML document layout or the mechanics and syntax of HTML (Thank you "Frontpage" another fine Microsoft product") so even if they wanted to remove it they couldn't. As to "Ask a geek for help", I got better things to do with my time. Such as make sure the mail server stays up and also blocks the incomming spam you all hate so much but keep forwarding, closing up security holes and cleaning up the trojans and viri that users put on the system by opening every attachment they get no matter who sent it. You want to edit your email, then get your point and click 8 to 5 only body in here and take the computer training classes HR has setup. Opps sorry I forgot, we have to make it mandantory just to get you come to the classes, held during work hours, on the applications you must use in your job, why would you come to an evening or Sat. class? Until the decision makers wake-up and demand that email aplications reject HTML style text this "wiretap",trojan carrying, security-hole style of email will continue to be exploited. HTML style email not only has opened security holes but has increased the bandwidth load by 500% because of the increased size due to the formating codes added to the message. As we have moved farther down the information highway I've come to believe that the makers and shakers have forgotten the "KISS" principle when it comes to email and browsers. Paraphrasing Thomas H. Lipscomb in an earlier post on the "Digital Divide"; If by HTML you must go, the underlying code you must know. Larry D. Poos [System Consultant] LTAD Enterprises E-MAIL: (Primary) ldpoosld () ec rr com ************ Date: Mon, 05 Feb 2001 10:43:50 -0800 From: Lorraine King <lking () telus net> To: declan () well com Subject: Re: FC: If you forward HTML email, it could be eavesdropped References: <5.0.2.1.0.20010205105538.00a686a0 () mail well com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-UIDL: 93ce9ce8ffe6bc096a44c9213e751ecc Declan, Not sure how wide your reach is - maybe only geeks to whom this will be obvious - but with NS messenger it may not be obvious to everyone that you need to turn js *off* for messenger, but can leave it on for the NS browser. I only use 4.6 - not dealt with by the referenced page so perhaps I am not affected (but not taking any chances, either) - and in its preferences, the js-for-mail option is nested under the general js option. Declan McCullagh wrote: > > "Email wiretapping" seems a little overblown, but this is bad news. > > The new netiquette: > 1. Friends don't send friends HTML email > 2. Friends don't accept HTML email from friends > 3. Friends don't let friends use Outlook or Navigator to read email> 4. If you or a friend must break the above three rules, then disable Javascript
> 5. If you or a friend must break the above four rules, remove Javascript > code from the HTML emil you forward (ask a geek for help) <snip> -- Lorraine P. King Telephone: (604) 936-6150 ICQ#11591526 Cellular: (604) 723-6051 Depth in content, depth in thinking, looking at a great many sources to get information is a dying art. -Bonnie Bracey ************ From: mikus () bga com (Mikus Grinbergs) To: Declan McCullagh <declan () well com> Subject: Re: FC: If you forward HTML email, it could be eavesdropped Date: Mon, 05 Feb 2001 12:43:07 -0600 In list.poli, you wrote on Mon, 05 Feb 2001 10:55:49 -0500: > "Email wiretapping" seems a little overblown, but this is bad news. > > The new netiquette: > 1. Friends don't send friends HTML email > 2. Friends don't accept HTML email from friends > 3. Friends don't let friends use Outlook or Navigator to read email> 4. If you or a friend must break the above three rules, then disable Javascript
> 5. If you or a friend must break the above four rules, remove Javascript > code from the HTML emil you forward (ask a geek for help) > > -Declan Let me remind you of an incident which you (or somebody) publicised. (For which not even Javascript was needed!) An individual using an anonymizer was posting messages (to various newsgroups) which criticized corporation XYZ. This criticism drew enough attention for XYZ to assign "sleuths" to the matter. The sleuths concluded the critic was an XYZ employee. To track him down, the sleuths created an innocuous image on their own webserver, but activated a "sniffer" which would record the IP-address of anyone FETCHING that image. They then replied to one of the critic's messages using an HTML email message having a subject line they hoped would arouse his interest. The body of their message included a perfectly ordinary HTML tag referencing the image's URL. The sleuths were in luck - the critic decided during lunch hour to connect to his ISP and check his private email. When the critic opened that particular message in HTML mode, the message body FETCHED (and displayed) the referenced image. The sleuths now had the IP-address (of the terminal within XYZ that the critic used), and were able to identify him. mikus ************ ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
Current thread:
- FC: A sysadmin's view on HTML-Javascript email problems Declan McCullagh (Feb 05)