Re: Spaf did not receive your email (was Re: [SECURITY ] Job Descriptions)

["Howell, Paul" <grue () UMICH EDU>]

There is a thoughtful list of issues at
http://www.goldmark.org/netrants/no-word/attach.html
on this topic.

Folks that have been doing security for a while have long known that macro
viruses in products such as Word and Excel represents a threat. Melissa was
one such virus.

As a result, there is a history of recommending that more execution neutral
formats such as PDF and plain text be used instead.

Time has changed things though.  Today, many people (including security
experts) commonly email word, ppt, and html, all capable of executable
content.

Likewise, malicious javascript and java are threats to web surfing.  Yet
many web sites operated by security firms try to use these languages.  Some
won't work correctly unless one or both are enabled.  The X-Force database
is an example of this.

In short, the different sides of this issue seems like an example of
old-school vs. new-school risk calculations.

< paul

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.