lkvam at venix.com
Tue Jul 3 19:32:04 EDT 2007
On Tue, 2007-07-03 at 16:45 -0400, Ben Scott wrote:
> On 7/3/07, Bill Sconce <sconce at in-spec-inc.com> wrote:
> > And from that standpoint there can be no other answer than
> "There is no such thing as security. Only risk management."
> It can be argued (quite correctly, I think) that allowing arbitrary
> systems out in the world to send stuff for your computer to be
> interpreted in complex ways is always a very risky proposition. And
> are damn complex on their own. Even without implementation bugs (of
> which there are an apparently endless supply), there is ample
> intrinsically more evil than interpreting HTML?
HTML is simply a bunch of text tags. Aside from meta-tags (e.g.refresh)
and some issues with image processing - which is really not part of
HTML, there is not much scope for attack (except perhaps via frames?).
There is always the possibility of an exploitable browser bug, but I
think the risk with open source browsers is reasonably low.
connections to servers, generated text, and more. Bugs in the sandbox,
programming errors, and general complexity open avenues for attack.
> And you put email
> into the picture, and geez...
And you keep automatic image loading off so that you don't notify the
spammers that you opened the email, Right??
abuse of *my* computer when visiting other sites. When necessary, I'll
> This isn't just idle speculation. There's good reason we don't
> permit computers with classified information on them be connected to
> the Internet.
> At the same time, there are some very real benefits to networked
> participation. If there weren't, this Internet fad would have died
> out after the first few worms. Cutting oneself off in the name of
> security isn't a very good solution for most.
> or something else entirely (maybe sandboxed Python -- ha! on-topic!),
> I think this kind of thing is inevitable.
Oddly enough, I can often skip right through register-to-view-screens
and on to the "protected" content simply because the protection is
> -- Ben
> Python-talk mailing list
> Python-talk at dlslug.org
1 Court Street, Suite 378
Lebanon, NH 03766-1358
More information about the Python-talk