Re: Jargons of Info Tech industry
On Wed, 12 Oct 2005 21:50:22 GMT Roedy Green [EMAIL PROTECTED] wrote: It is almost like providing ladders and setting out cookies and milk for the burglars. Fire escapes at christmas. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Xah Lee [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Rethink what you are saying. You'll see that what you propose as reasons for one, is actually for the other. Nonsense. It is plain error to change what someone said and claim they said it, even if you think that what you are changing isn't important. DS -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.java.programmer Paul Rubin http://[EMAIL PROTECTED] wrote or quoted: Tim Tyler [EMAIL PROTECTED] writes: Are there any examples of HTML email causing security problems - outside of Microsoft's software? There was a pretty good one that went something like Click this link to download latest security patch! a href=http://www.mxx.com.Microsoft Security Center/a where mxx is microsoft with the letter i replaced by some exotic Unicode character that looks exactly like an ascii i in normal screen fonts. The attacker had of course registered that domain and put evil stuff there. I didn't think unicode domain names existed. It seems that they are in the pipeline: ``After much debate and many competing proposals, a system called Internationalizing Domain Names in Applications (IDNA) was adopted as the chosen standard, and is currently, as of 2005, in the process of being rolled out.'' - http://en.wikipedia.org/wiki/Internationalized_domain_names It looks like the security issues are probably going to be dealt with via technical fixes: ``On February 17, 2005, Mozilla developers announced that they would ship their next versions of their software with IDN support still enabled, but showing the punycode URLs instead, thus thwarting any attacks while still allowing people to access websites on an IDN domain. This is a change from the earlier plans to disable IDN entirely for the time being.'' - http://en.wikipedia.org/wiki/Internationalized_domain_names Anyway, I'm inclined to suggest this is a DNS problem. It would apply to any format that allowed rendering of domain names using the unicode character set they are intended to be displayed using. Even without unicode, the homograph attack is still viable, due to things like the l/I issue in many fonts - as pointed out on: http://www.centr.org/docs/2005/02/homographs.html -- __ |im |yler http://timtyler.org/ [EMAIL PROTECTED] Remove lock to reply. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.java.programmer Ross Bamford [EMAIL PROTECTED] wrote or quoted: Roedy, I would just _love_ to see the response from the industry when you tell them they should dump their whole mail infrastructure, and switch over to a whole new system (new protocols, new security holes, new problems start to finish). [...] That's essentially what the IM folk did. It seems quite possible that future email systems will evolve out of existing IM ones. Essentially, IM can do pretty-much everything email can these days, but the reverse is not true at all. IM also seems more evolvable than email is managing to be. About all email has going for it these days is an open format and a large existing user base. -- __ |im |yler http://timtyler.org/ [EMAIL PROTECTED] Remove lock to reply. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Gordon Burditt [EMAIL PROTECTED] wrote or quoted: Before worrying about the possible bugs in the implementations, worry about security issues present in the *DESIGN*. Email ought to be usable to carry out a conversation *SAFELY* with some person out to get you. Thus features like this are dangerous (in the *design*, not because they *might* hide a buffer-overflow exploit): - Hyperlinks to anything *outside* the email in which the link resides (web bugs). Acceptable risk, IMO. - Any ability to automatically generate hits on sender-specified servers when the email is read. I hadn't though of that one. As well as use in DDOS attacks, that can help let spammers know if they have reached a human :-| Even a link in a plain text email can be used (though with reduced effectiveness) in such a context :-( -- __ |im |yler http://timtyler.org/ [EMAIL PROTECTED] Remove lock to reply. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Tue, 18 Oct 2005 08:12:23 GMT, Tim Tyler [EMAIL PROTECTED] wrote or quoted : - Any ability to automatically generate hits on sender-specified servers when the email is read. I hadn't though of that one. As well as use in DDOS attacks, that can help let spammers know if they have reached a human :-| If you think about it, much as you hate spammers you WANT them to have that information. If you never read spam, and they know that, they eventually might stop sending it to you and focus on the nitwits who read it. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Tue, 18 Oct 2005 07:59:47 GMT, Tim Tyler [EMAIL PROTECTED] wrote or quoted : Essentially, IM can do pretty-much everything email can these days, but the reverse is not true at all. The problem with IM is the various IM schemes don't talk to each other. You need a client that knows all the IM protocols. But that seems to be happening with Jabber and Trillian. You have too much reliance on a central server. You have to trust the relaying company. I think it is time that nearly all mail was routinely and transparently end to end encrypted, with the exception of long enclosures that are explicitly marked not confidential. You still have spam to a lesser extent and strangers just wanting to talk. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Tim Tyler [EMAIL PROTECTED] writes: In comp.lang.java.programmer Ross Bamford [EMAIL PROTECTED] wrote or quoted: About all email has going for it these days is an open format and a large existing user base. Yeah, and all that Windows has going for it is being on 9X% of the desktops. Nothing really important at all. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Jargons of Info Tech industry
Just passin' through Xah Lee, on Aug 22, 2:43 pm wrote: Unix, RFC, and Line Truncation [snippage] There is no reason for a paragraph encoding to be splattered with end of line characters, nor the human labor expended. There is reason for paragraphs to be displayed not too wide, and that is readability. What the unixer could not get clear of is a distinction of concepts. Because their fantastically hacked-up operating system operate by the principle that lines should not be some 80 chars or else it will be truncated and *silently* too, thus it became _necessarily_ their _habit_ and thought that line truncation business is natural and a human duty. Unknown of these setups, the unix geeks go by their presumption that all text should be hard wrapped, as if parameters should be hard-coded. I've seen this argument before. There's at least one VERY good reason to hard-code linebreaks in text: to preserve a covert channel. It's really easy to structure plain text in such a way to include super sekret messages that can only be properly decoded when the original formatting of the text is preserved. Assuming that all of us are agreed that plain text is the correct lowest-common denominator in email and Usenet communications, it makes sense to allow for additional personal expression by way of enabling users to encode additional information in the formatting of their messages. So, while Mr. Lee (who is not alone) is apparently of the opinion that paragraphs should be formatted according to the transient size of the newsreader window, his preference destroys a channel of expression available to the putative author -- if free-flow paragraph structure is mandated by the messaging standards and conventions of the text messaging community. Personally, I think the status quo is fine. People who wish to insert line breaks where they wish in their paragraphs may do so, and others may rely (or not) on their software to format their messages. In the long term there are more pressing problems. Sould we, for instance, extend the plain text 'conventions', which are largely concerned with 7-bit ASCII messaging, and all the associated software applications to work with unidcode character sets? Simplicity is good and all that, but this is a multi-cultural, multi-language world. Locking out the non-English speaking population from Usenet or (worse) from manually interoperating with basic Internet protocols (for instance) seems rather short sighted. I do not mean to start a flame war here; I am just trying to point out the obvious. People like Mr. Lee, as well as many, many application deveolopers are well-meaning but misguided. They would unnecessarily complexify things that should be simple and simplify things that should be complex. I, for one, am continuing to think about these issues because I see no simple solutions and have no magic bullet to offer that would solve these perennial difficulties of prereference, clarity, and common sense. Perhaps one day we will converge on near optimal solutions to these and like issues; which will be coded and formalised in standards, and which will stand for the indefinate future. Regards, Steve -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Xah Lee, on Aug 22, 2:43 pm wrote: Unix, RFC, and Line Truncation http://xahlee.org/UnixResource_dir/writ/truncate_line.html Steve wrote: I've seen this argument before. There's at least one VERY good reason to hard-code linebreaks in text: to preserve a covert channel. It's really easy to structure plain text in such a way to include super sekret messages that can only be properly decoded when the original formatting of the text is preserved. Assuming that all of us are agreed that plain text is the correct lowest-common denominator in email and Usenet communications, it makes sense to allow for additional personal expression by way of enabling users to encode additional information in the formatting of their messages. Rethink what you are saying. You'll see that what you propose as reasons for one, is actually for the other. Xah [EMAIL PROTECTED] ∑ http://xahlee.org/ -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
[EMAIL PROTECTED] (Bengt Richter) wrote: On 16 Oct 2005 00:31:38 GMT, John Bokma [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Bengt Richter) wrote: On Tue, 04 Oct 2005 17:14:45 GMT, Roedy Green [EMAIL PROTECTED] wrote: On Tue, 23 Aug 2005 08:32:09 -0500, l v [EMAIL PROTECTED] wrote or quoted : I think e-mail should be text only. I think that is a useful base standard, which allows easy creation of ad-hoc tools to search and extract data from your archives, etc. I disagree. Your problem is spam, not HTML. Spam is associated with HTML and people have in Pavlovian fashion come to hate HTML. But HTML is not the problem! Right, it's what the HTML-interpreting engines might do that is the problem. You mean the same problem as for example using a very long header in your email to cause a buffer overflow? That is possible with plain ASCII, and has been done. Are you trolling? No, I don't mean the same problem. What an HTML interpreter does by _design_ is not in the same category as an implementation error enabling a root exploit. Ok, what do you think are the bad things in HTML design? (For email that is). I can name only two: 1 - remote loading of objects 2 - when a user clicks on a link, this can be seen as a confirmation. The latter is also possible in the email clients I have used when plain text is used. Ok, you can say that in HTML you can hide somewhat the destination, e.g. a href=http://example.com/user-1234;Check out this /a. OTOH, you are not forced not to read the status bar. [ ... ] Don't get me wrong, I said all good stuff, as far as control of presentation is concerned. And I would be happy to have nice graphic email if I could get it as a self-contained file from my ISP's mail server, and I had a presentation engine involved that I knew was guaranteed to stick to presentation work without communicating over the web or doing anything else without my knowledge. I don't see any technical obstacle to that, but HTML is not designed to be the solution to that. Of course: I can compose an HTML file which has the graphics embedded in HTML which works in the client I am using. Another option is to include the graphics as attachements (this works). I am convinced this also works for stylesheets and any other object. So in short, it's possible to get a self-contained email. [ pdf ] Ah, and that's exploit free? That's not the issue. All programs can have the kind of exploit possibilities that you are talking about. A program with the single purpose of interpreting a page description and presenting it graphically is easier to eliminate exploitable vulnerabilities from than a program that involves a lot of additional stuff. I thought it was possible to add a remote link to PDF (but I couldn't make one with OOo - export pdf). But I am afraid that as soon as PDF is taking over the role of HTML in email, it will certainly going to support things you consider harmfull (and are in some occasions, I mean, I agree that tracking of images in spam is a bad thing). Program listings are much more readable on my website. IMO FOSS pdf could provide all the layout benefits while avoiding (allowing for bugs) all the downsides of X/HTML in emails. Amazing, so one data format that's open is better compared to another open data format based on what? I take it you don't understand the difference between pdf and html? A primary thing is the monitorable data-moving activity that is involved. A pdf can have links, but they are not followed (not counting what closed source proprietary softare might risk a PR black eye doing) in the process of opening and presenting the document to you. And a link in an HTML file is? (Ok, there are so called caching systems that do this with browsers). The whole file comes as a single unit normally As I stated, this is possible with HTML, at least Firefox does support inline images (data scheme). CSS can already be included in the file itself. (though I could see the temptation to implement automatic font downloads and enable font-bugs like web-bugs based on that, though in a FOSS implementation, such [mal]features could easily be made optional). You could say features can be optional re HTML CSS and JS and all the other automatic web-accessing and other features of HTML, but by the time you made them all optional and turned them off, you wouldn't see the HTML-author's intended presentation. That is not the case with pdf. Also, a single pdf file would be coming from one place. There is not an on-the-fly gathering of elements that you have to use a special tool to determine for sure where all the requests to get them went, or to prevent them from going, and having the activity logged, not to mention what the interpretation of unknown elements might do. If it's not possible to remote link to an image in PDF, I wouldn't be amazed that if it is replacing HTML in email, such a thing will be added. --
Re: Jargons of Info Tech industry
On Sat, 15 Oct 2005 23:24:21 GMT, [EMAIL PROTECTED] (Bengt Richter) wrote or quoted : I try to explain Java each day both on my website on the plaintext only newsgroups. It is so much easier to get my point across in HTML. How about pdf? End users HATE PDF. Why? It takes so long for the reader to load. It is so slow on older machines to render and scroll. My complaint with it is it is Adobe proprietary. This make the tools very expensive. I like PDF because: 1. documents have to be prepared before posting. This means you don't have malformed syntax in them. 2. You can reasonably quickly turn computer printouts or paper documents into web content. 3. You don't have to guess what the end user will see. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: End users HATE PDF. Why? It takes so long for the reader to load. xpdf comes up almost instantly here. Maybe end users should consider finding a better PDF reader. -- Your correction is 100% correct and 0% helpful. Well done! --Richard Heathfield -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On 16 Oct 2005 00:31:38 GMT, John Bokma [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Bengt Richter) wrote: On Tue, 04 Oct 2005 17:14:45 GMT, Roedy Green [EMAIL PROTECTED] wrote: On Tue, 23 Aug 2005 08:32:09 -0500, l v [EMAIL PROTECTED] wrote or quoted : I think e-mail should be text only. I think that is a useful base standard, which allows easy creation of ad-hoc tools to search and extract data from your archives, etc. I disagree. Your problem is spam, not HTML. Spam is associated with HTML and people have in Pavlovian fashion come to hate HTML. But HTML is not the problem! Right, it's what the HTML-interpreting engines might do that is the problem. You mean the same problem as for example using a very long header in your email to cause a buffer overflow? That is possible with plain ASCII, and has been done. Are you trolling? No, I don't mean the same problem. What an HTML interpreter does by _design_ is not in the same category as an implementation error enabling a root exploit. That is like hating all choirs because televangelists use them. HTML allows properly aligned table, diagrams, images, use of colour/fonts to encode speakers. emphasis, hyperlinks. All good stuff, but I don't like worrying about side effects when I read email. Then you should ask people to print it out, and use snail mail. Exploits _I_ should, because _you_ can't think of a better solution? Always happy to get useful advice, though ;-) in email programs are not happening since HTML was added to them. You mean they didn't start happening, presumably. But I'm not talking about exploits, I'm talking about what HTML is designed to do, which is to describe a presentation composed of elements which in general requires retrieving many elements separately as the indirect references (links) are interpreted and the data is requested from the indicated servers -- all at HTML interpretation-time, whatever client engine is doing that for browser or email reader etc. Don't get me wrong, I said all good stuff, as far as control of presentation is concerned. And I would be happy to have nice graphic email if I could get it as a self-contained file from my ISP's mail server, and I had a presentation engine involved that I knew was guaranteed to stick to presentation work without communicating over the web or doing anything else without my knowledge. I don't see any technical obstacle to that, but HTML is not designed to be the solution to that. IMO pdf comes close. I recognize that a pdf interpreter can also have exploitable implementation errors, just like an ascii email client, but that is not what I am talking about. I prefilter email into plain and X/HTML-containing mailboxes, and I don't open HTML email from unknown sources, though if I am really curious I will drag and drop the email into a probtrash mailbox and use a python script that extracts the text or other info as text in a console window. All the ones purportedly from ebay and amazon and paypal have been phishing attempts which would look pretty convincing if displayed by normal X/HTML interpretation. If my ISP had a better filter or I imporved mine, I wouldn't see that, but in my normal ascii email boxes I don't have to worry about that, I just have to resist the social engineering of the offers from Nigeria etc. ;-) I try to explain Java each day both on my website on the plaintext only newsgroups. It is so much easier to get my point across in HTML. How about pdf? Ah, and that's exploit free? That's not the issue. All programs can have the kind of exploit possibilities that you are talking about. A program with the single purpose of interpreting a page description and presenting it graphically is easier to eliminate exploitable vulnerabilities from than a program that involves a lot of additional stuff. Program listings are much more readable on my website. IMO FOSS pdf could provide all the layout benefits while avoiding (allowing for bugs) all the downsides of X/HTML in emails. Amazing, so one data format that's open is better compared to another open data format based on what? I take it you don't understand the difference between pdf and html? A primary thing is the monitorable data-moving activity that is involved. A pdf can have links, but they are not followed (not counting what closed source proprietary softare might risk a PR black eye doing) in the process of opening and presenting the document to you. The whole file comes as a single unit normally (though I could see the temptation to implement automatic font downloads and enable font-bugs like web-bugs based on that, though in a FOSS implementation, such [mal]features could easily be made optional). You could say features can be optional re HTML CSS and JS and all the other automatic web-accessing and other features of HTML, but by the time you made them all optional and turned them off, you wouldn't see the HTML-author's intended presentation. That is not
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: 3. You don't have to guess what the end user will see. If you include the fonts, which makes big documents which slows down the loading and rendering... I've seen quite a number of PDF that are ill-rendered or not rendered at all. -- You cannot really appreciate Dilbert unless you read it in the original Klingon -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Sat, 15 Oct 2005 23:24:21 GMT, [EMAIL PROTECTED] (Bengt Richter) wrote or quoted : How about pdf? My complaint with it is it is Adobe proprietary. This make the tools very expensive. No, it isn't. The standard is publicly available, so anyone can write tools that produce and/or manipulate PDF. Lots of people do. Pretty much any WP or DP package worth using will generate PDF at out of the box - and some of those are free. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tue, 11 Oct 2005 11:45:03 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Jeff Poskanzer, now *he* has a spam problem. He gets a few million spams a day: URL: http://www.acme.com/mail_filtering/ . It is a bit like termites. If we don't do something drastic to deal with spam, the ruddy things will eventually make the entire Internet unusable. the three keys to me are: 1. flipping to a digital id based email system so that the sender of any piece of mail can be legally identified and prosecuted. If every piece of anonymous email disappeared that would go a long way to clearing up spam. Let those sending ransom notes, death threats and hate mail use snail mail. As a second best, correspondents are identified by permission/identity/encryption keys given to them by their recipients. Too complicated. 2. flipping to a sender pays system so that the Internet does not subsidise spam. This would turn cost of sending mail to ordinary people. Spammers pay for bandwith as much as receivers (except in case when they hijack server). 3. Mail is not transported without prior permission. The receiver can turn that permission on and off any time he chooses. This is basically an automated version of what Zaep does where the sender is not consciously aware of the permission-getting step. That is the solution. rcpt from:[EMAIL PROTECTED] rcpt to:[EMAIL PROTECTED] not authorized Then simply users have to maintain list of domains/users that can send mail which need just one more smtp command. mail from:[EMAIL PROTECTED] auth req:[EMAIL PROTECTED] ok auth req:[EMAIL PROTECTED] request already in queue rcpt to:[EMAIL PROTECTED] not authorized user authorization: helo victims.org ok user:[EMAIL PROTECTED] ok password:victim ok auth list req ... ... ... auth add:[EMAIL PROTECTED],org error no such user at slam org auth add:[EMAIL PROTECTED],org ok auth add:[EMAIL PROTECTED] ok auth remove:[EMAIL PROTECTED] ok auth add:[EMAIL PROTECTED] ok quit and there it is, spam free solution. User can maintain two email addresses one for general public and one spam free. Of course smtp should be really extended to support user authorization. Greetings, Bane. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Tue, 04 Oct 2005 17:14:45 GMT, Roedy Green [EMAIL PROTECTED] wrote: On Tue, 23 Aug 2005 08:32:09 -0500, l v [EMAIL PROTECTED] wrote or quoted : I think e-mail should be text only. I think that is a useful base standard, which allows easy creation of ad-hoc tools to search and extract data from your archives, etc. I disagree. Your problem is spam, not HTML. Spam is associated with HTML and people have in Pavlovian fashion come to hate HTML. But HTML is not the problem! Right, it's what the HTML-interpreting engines might do that is the problem. That is like hating all choirs because televangelists use them. HTML allows properly aligned table, diagrams, images, use of colour/fonts to encode speakers. emphasis, hyperlinks. All good stuff, but I don't like worrying about side effects when I read email. I try to explain Java each day both on my website on the plaintext only newsgroups. It is so much easier to get my point across in HTML. How about pdf? Program listings are much more readable on my website. IMO FOSS pdf could provide all the layout benefits while avoiding (allowing for bugs) all the downsides of X/HTML in emails. Regards, Bengt Richter -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
[EMAIL PROTECTED] (Bengt Richter) wrote: On Tue, 04 Oct 2005 17:14:45 GMT, Roedy Green [EMAIL PROTECTED] wrote: On Tue, 23 Aug 2005 08:32:09 -0500, l v [EMAIL PROTECTED] wrote or quoted : I think e-mail should be text only. I think that is a useful base standard, which allows easy creation of ad-hoc tools to search and extract data from your archives, etc. I disagree. Your problem is spam, not HTML. Spam is associated with HTML and people have in Pavlovian fashion come to hate HTML. But HTML is not the problem! Right, it's what the HTML-interpreting engines might do that is the problem. You mean the same problem as for example using a very long header in your email to cause a buffer overflow? That is possible with plain ASCII, and has been done. That is like hating all choirs because televangelists use them. HTML allows properly aligned table, diagrams, images, use of colour/fonts to encode speakers. emphasis, hyperlinks. All good stuff, but I don't like worrying about side effects when I read email. Then you should ask people to print it out, and use snail mail. Exploits in email programs are not happening since HTML was added to them. I try to explain Java each day both on my website on the plaintext only newsgroups. It is so much easier to get my point across in HTML. How about pdf? Ah, and that's exploit free? Program listings are much more readable on my website. IMO FOSS pdf could provide all the layout benefits while avoiding (allowing for bugs) all the downsides of X/HTML in emails. Amazing, so one data format that's open is better compared to another open data format based on what? -- John Small Perl scripts: http://johnbokma.com/perl/ Perl programmer available: http://castleamber.com/ I ploink googlegroups.com :-) -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
But HTML is not the problem! Right, it's what the HTML-interpreting engines might do that is the problem. You mean the same problem as for example using a very long header in your email to cause a buffer overflow? That is possible with plain ASCII, and has been done. Before worrying about the possible bugs in the implementations, worry about security issues present in the *DESIGN*. Email ought to be usable to carry out a conversation *SAFELY* with some person out to get you. Thus features like this are dangerous (in the *design*, not because they *might* hide a buffer-overflow exploit): - Hyperlinks to anything *outside* the email in which the link resides (web bugs). - Javascript. - Any ability to automatically generate hits on sender-specified servers when the email is read. - Any kind of return-receipt mechanism that doesn't require initiation by the recipient. - Any kind of return-receipt mechanism that indicates that the message got past the spam filter. That is like hating all choirs because televangelists use them. HTML allows properly aligned table, diagrams, images, use of colour/fonts to encode speakers. emphasis, hyperlinks. The trouble is, it allows way too much dangerous stuff. All good stuff, but I don't like worrying about side effects when I read email. Then you should ask people to print it out, and use snail mail. Exploits in email programs are not happening since HTML was added to them. Yes, they are. Why do you think people put web bugs in email? Because they work. I try to explain Java each day both on my website on the plaintext only newsgroups. It is so much easier to get my point across in HTML. Gordon L. Burditt -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
[EMAIL PROTECTED] (Gordon Burditt) wrote: But HTML is not the problem! Right, it's what the HTML-interpreting engines might do that is the problem. You mean the same problem as for example using a very long header in your email to cause a buffer overflow? That is possible with plain ASCII, and has been done. Before worrying about the possible bugs in the implementations, worry about security issues present in the *DESIGN*. You mean like email travels like plain text over the Internet? Email ought to be usable to carry out a conversation *SAFELY* with some person out to get you. Thus features like this are dangerous (in the *design*, not because they *might* hide a buffer-overflow exploit): - Hyperlinks to anything *outside* the email in which the link resides (web bugs). Same holds for a link in plain ASCII - Javascript. Is not HTML That is like hating all choirs because televangelists use them. HTML allows properly aligned table, diagrams, images, use of colour/fonts to encode speakers. emphasis, hyperlinks. The trouble is, it allows way too much dangerous stuff. Same with attachements, shall we remove those too? All good stuff, but I don't like worrying about side effects when I read email. Then you should ask people to print it out, and use snail mail. Exploits in email programs are not happening since HTML was added to them. Yes, they are. No, they are not. Buffer overruns with plain ASCII text have happened in the past. Dangerous attachements have been sent before HTML was available in email. Why do you think people put web bugs in email? Because they work. Same with attachements... -- John Small Perl scripts: http://johnbokma.com/perl/ Perl programmer available: http://castleamber.com/ I ploink googlegroups.com :-) -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Wed, 12 Oct 2005 22:04:14 GMT Roedy Green [EMAIL PROTECTED] wrote: On Mon, 10 Oct 2005 00:42:18 +0200, Stefaan A Eeckels [EMAIL PROTECTED] wrote or quoted : I don't understand that attitude. Don't we want email that has dancing bears, cute little videos, musical tunes, animated waving hands, sixty fonts, and looks like it's been done with crayolas? Good grief, man, think like a three year old! that excuse could also be used to explain why you have not cracked a book since high school. The same tools that create dancing bears can do a UML diagram. Mine doesn't. Stick figures is as far as it'll go. Specific document formats can be attached to an email without any problems. When exact rendering is important, the appropriate format (e.g. PDF) can be used. Only a fool would want his email program to render a UML diagram (which is far more than a cute drawing done in Visio, in case you hadn't noticed). -- Stefaan -- As complexity rises, precise statements lose meaning, and meaningful statements lose precision. -- Lotfi Zadeh -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.java.programmer Mike Meyer [EMAIL PROTECTED] wrote or quoted: Tim Tyler [EMAIL PROTECTED] writes: In comp.lang.java.programmer Mike Meyer [EMAIL PROTECTED] wrote or quoted: The technial problems have been solved for over a decade. NeXT shipped systems that used text/richtext, which has none of the problems that HTML has. The problems are *social* - you've got to arrange for people to use mail/news readers that understand a rich text format that isn't a vector for viruses. It's not HTML that has problems, it's Microsoft's crappy software. HTML is a problem on *other* peoples crappy software as well. It wasn't designed to carry code content, but has been hacked up to do that. Are there any examples of HTML email causing security problems - outside of Microsoft's software? I can think of one: the JPEG virus. However, that affected practically any program that could render JPEGs - not just HTML. Writing virus-free HTML renderers is not hard - but of course Microsoft can still screw it up. Sure - just disable all the features that make people want to use HTML instead of something else. Not so: you disable Java, Javascript and plugins. You leave the ability to format, colour and hint documents. This is not /that/ difficult. Don't blame HTML for viruses - *every* document format Microsoft has anything to do with becomes a vector for viruses. Which would mean that every open format that MS has had anything to do with comes a vector for viruses. Somehow, I'm not buying it. I exaggerate only slightly. -- __ |im |yler http://timtyler.org/ [EMAIL PROTECTED] Remove lock to reply. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
1. flipping to a digital id based email system so that the sender of any piece of mail can be legally identified and prosecuted. If every piece of anonymous email disappeared that would go a long way to clearing up spam. Let those sending ransom notes, death threats and hate mail use snail mail. As a second best, correspondents are identified by permission/identity/encryption keys given to them by their recipients. The first part seems rather expensive and I'm not sure it would help. Is spam illegal? I don't see how it can be. I mean, those messages are annoying, but not that annoying. I get unsolicited email that I actually want often enough to want to avoid gumming it up in legal issues. Just think about 'protecting the youth'. Everybody can send highly sexual (to the abnormal) content to everybody. If you would do this personally on the streets you would surely be prosecuted in most countries. So, if it isn't illegal, it should be. [snip] ++ Eike -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Tim Tyler [EMAIL PROTECTED] writes: Are there any examples of HTML email causing security problems - outside of Microsoft's software? There was a pretty good one that went something like Click this link to download latest security patch! a href=http://www.mxx.com.Microsoft Security Center/a where mxx is microsoft with the letter i replaced by some exotic Unicode character that looks exactly like an ascii i in normal screen fonts. The attacker had of course registered that domain and put evil stuff there. Not so: you disable Java, Javascript and plugins. You leave the ability to format, colour and hint documents. This is not /that/ difficult. Don't forget disabling Unicode. What happens if you have a meta redirect= tag in the html email that tries to redirect the browser to some other url? -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Not so: you disable Java, Javascript and plugins. You leave the ability to format, colour and hint documents. This is not /that/ difficult. Don't forget disabling Unicode. http://news.netcraft.com/archives/2005/02/15/firefox_to_disable_idn_support_as_phishing_defense.html -- Richie Hindle [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Paul Rubin http://[EMAIL PROTECTED] writes: Not so: you disable Java, Javascript and plugins. You leave the ability to format, colour and hint documents. This is not /that/ difficult. Don't forget disabling Unicode. To kill web bugs, you have to turn off images, and anything else that automattically loads content from an external server. No inline images is a pretty large hit on formatting. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello? I don't think that should make any difference. I should be able to visit absolutely any website on the Internet without any danger to my computer or the data stored on it. Any browser which allows otherwise has a bug. Javascript is not inherently a virus vector. Flawed implementations might be; the language itself is not. Similarly for anything else. In reality, with a properly-configured, good quality operating system (probably a UNIX-type system), one ought to be able to run full native code without any danger to one's computer or data (think: under the NOBODY account on Linux). Just my 1/50th of a dollar. Chris Gordon Burditt wrote: [snip] Browsers don't read unsolicited web sites. Email readers do, however, read unsolicited email, and email from downright hostile correspondents. And I consider web bugs and similar tracking methods to be a danger for something that's supposed to be ONLY formatted text. [snip] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDTfb26ZGQ8LKA8nwRAo53AJ4gt1VeSkonnRC0f2eSdwLaJt85CACcDP5+ xVO8Y8uWFRzwY26H4EmmKDo= =178i -END PGP SIGNATURE- -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thunderbird is nice that way. You can tell it to render HTML by default, and even images if they're included in the body of the e-mail, but tell it to NOT render anything which requires connections to external servers unless you click a Show Images button. I think Hotmail does a similar thing. Chris Paul Rubin wrote: [snip] That's the worst of all. I certainly don't want my mail reader opening network connections to arbitrary places when I read my mail. I have no willingness at all to reveal my mail reading habits or IP address to everyone who sends me email. If someone wants a return receipt, they can use snail mail and fill out a form at the post office for it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDTfdO6ZGQ8LKA8nwRAuSGAJ4+U6oSZrrO500FptiEGuAYrtXZlwCfYpQP 1TEMkwZwjevSwh+GfR72BlA= =Xpel -END PGP SIGNATURE- -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Thu, 13 Oct 2005 01:32:03 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : That won't prevent phishing, that will just raise the threshhold a little. The first hurdle you have to get past is that most mail agents want to show a human name, not some random collection of symbols that map to a unique address. Even if you do that, most readers aren't going to pay attention to said random collection of symbols. Given that, there are *lots* of tricks that can be used to disguise the signed name, most of which phishers are already using. How many people do you think will really notice that mail from John Bath, PayPal Customer Service Representative ([EMAIL PROTECTED]) isn't really from paypal? I think it better than you imagine. First of all Mr. Phish will come in as a new communicant begging an audience. That is your first big clue. PayPal is already allowed in. Next if Thawte issues certs, they won't allow Phish names such as Paypol.com just as now for other certs. Mr. Phish is coming in on a different account. Next Mr. Phish had to present his passport etc when he got his Thawte ID. Now Interpol has a much better handle on putting him in jail. He can't repudiate his phishing attempt. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Thu, 13 Oct 2005 01:13:28 GMT, Keith Thompson [EMAIL PROTECTED] wrote or quoted : A partial solution to spam, or at least to pollution of Usenet newsgroups, would be to STOP POSTING THIS STUFF TO NEWSGROUPS WHERE IT'S NOT RELEVANT. Technically yes. But those folk in the appropriate newsgroups have had years to solve this and all we hear is despair. They are too concerned with the day to day alligator swamp draining to think about the big picture.. Perhaps it is time to toss the problem in front of a less beaten down group of potential problem solvers. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Thu, 13 Oct 2005 01:17:45 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : No, that's what makes email a vector for infection. What makes using the address book - for whatever purpose - possible for viruses is having an API that allows arbitrary code to access it. But you have to have that API - your customers are going to insist that they be able to use their address book from third party applications. An automated change of address is possible today. It would be LESS easy to pull off under the scheme I proposed that requires digital signatures. Yes there are some downsides to a theoretical attack where phony change of address messages are sent out. They don't propagate. They don't corrupt. They are self healing when the original guy gets his virus problem under control. But you must balance that against the REAL downside of people's address books being filled with obsolete email addresses. And of course one of the reasons they are is people keep changing their email addresses to hide on spam. I am just saving as lot of busy work keeping them up to date. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Wed, 12 Oct 2005 19:43:56 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Yup, you solved an easy problem - designing a spam-proof email system. That's been done any number of times. The hard part is a deployment strategy that will actually get the world to transition to such a system. That's why earlier nearly identical proposals got rejected - nobody could come up with a workable transition plan. Without a transition plan, a better email system is only of academic interest - and not even much of that at this late date. The big problem with any new system would be it cannot communicate with others. So presumably your clients need to talk both old and new protocols. Just say, YES, you need the old mail system too, but you will find yourself using it less and less. So how do you promote it given that you can't talk to everyone with it? 1. confidentiality. -- All is encrypted. Sell it as something for confidential intra-corporate communications. This just happens transparently. This means you CAN'T accidentally reveal a company secret by bungling the software or forgetting to encrypt. 2. faster -- presume both ends are online 24-7. Do everything 8-bit transparent, compressed prior to encryption. All decrypting and compressing/decompressing is transparent. 3. prestige -- for people whose time is too valuable to deal with spam. Perhaps clients are designed so someone else can deal with giving and revoking permissions for you and prioritising your mail. The riffraff are not on this net, only those with certificates, people of distinction. Software in designed so a secretary can monitor and manage several other VIP's mail. Recall that there were intra-net emails long before the Internet. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: Next Mr. Phish had to present his passport etc when he got his Thawte ID. Now Interpol has a much better handle on putting him in jail. He can't repudiate his phishing attempt. Any underage drinker in a college town can tell you a hundred ways to get sufficient fake ID to get around that. See also: http://www.ahbl.org/funny/response1.php I'll let others here fill in the blanks. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Thu, 13 Oct 2005 09:04:17 +0100, //[EMAIL PROTECTED] wrote: Roedy Green [EMAIL PROTECTED] writes: Next Mr. Phish had to present his passport etc when he got his Thawte ID. Now Interpol has a much better handle on putting him in jail. He can't repudiate his phishing attempt. Any underage drinker in a college town can tell you a hundred ways to get sufficient fake ID to get around that. See also: http://www.ahbl.org/funny/response1.php I'll let others here fill in the blanks. :) :) :) -- Ross Bamford - [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.perl.misc Roedy Green [EMAIL PROTECTED] wrote: On Thu, 13 Oct 2005 01:17:45 -0400, Mike Meyer [EMAIL PROTECTED] wrote No, that's what makes email a vector for infection. What makes using the address book - for whatever purpose - possible for viruses is having an API that allows arbitrary code to access it. But you have to have that API - your customers are going to insist that they be able to use their address book from third party applications. An automated change of address is possible today. It would be LESS easy to pull off under the scheme I proposed that requires digital signatures. How? I keep my address book on my Palm as I send mail from different computers? I suspect many other people do as well. Axel -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Thu, 13 Oct 2005 01:32:03 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : That won't prevent phishing, that will just raise the threshhold a little. The first hurdle you have to get past is that most mail agents want to show a human name, not some random collection of symbols that map to a unique address. Even if you do that, most readers aren't going to pay attention to said random collection of symbols. Given that, there are *lots* of tricks that can be used to disguise the signed name, most of which phishers are already using. How many people do you think will really notice that mail from John Bath, PayPal Customer Service Representative ([EMAIL PROTECTED]) isn't really from paypal? I think it better than you imagine. First of all Mr. Phish will come in as a new communicant begging an audience. That is your first big clue. PayPal is already allowed in. That's your first big clue. You've got two problems, though. 1) An as yet unspecified mechanism that magically approves everyone that you want to talk to. That's a big lump to swallow. It's also not an easy problem - all existing mechanisms for approving people require constant attention. Casual users aren't going to put up with that. 2) What makes you think your average user will realize this? It only takes a few percent to make it worth the phishers time. Next if Thawte issues certs, they won't allow Phish names such as Paypol.com just as now for other certs. So they'll do what their web sites do now, and sign their own certs. Mr. Phish is coming in on a different account. Different from what? And how does the user get told about this, and what will make them care? Next Mr. Phish had to present his passport etc when he got his Thawte ID. Now Interpol has a much better handle on putting him in jail. Not if he didn't have to go to Thawte. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Hello? I don't think that should make any difference. I should be able to visit absolutely any website on the Internet without any danger to my computer or the data stored on it. Any browser which allows otherwise has a bug. Then Javascript *as a language* is a bug. Javascript is not inherently a virus vector. Flawed A virus vector is not the only security problem. Leaking information to the web site is also a problem. implementations might be; the language itself is not. Does the language allow Javascript to open a new window? Does the language allow Javascript to trigger a function when a window is closed? I believe the answer to both questions is YES. Then it is possible to have a page that pops up two windows whenever you close one. This isn't theoretical: I've seen someone demonstrate this with certain nasty porn sites. The only way to recover was to kill off the browser and restart it. (Clicking HOME apparently fired off a cascade of closed windows which then opened more, running the browser out of virtual memory.) Because of this, he lost work in progress with another web site. (Apparently he accidentally clicked on a banner ad which lead to this booby-trapped site.) Similarly for anything else. In reality, with a properly-configured, good quality operating system (probably a UNIX-type system), one ought to be able to run full native code without any danger to one's computer or data (think: under the NOBODY account on Linux). If it can reveal my email address to any web site, it's a bug. If it can access or alter my personal files or address book, it's a bug. If it can generate hits on web sites other than that specified in the HTML, it's a bug. If it can open sockets, it's a bug. If it can look at or set cookies stored on my system, it's a bug. If it can look at or alter the list of previously visited URLs, it's a bug. Browsers don't read unsolicited web sites. Email readers do, however, read unsolicited email, and email from downright hostile correspondents. And I consider web bugs and similar tracking methods to be a danger for something that's supposed to be ONLY formatted text. Gordon L. Burditt -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green wrote in news:[EMAIL PROTECTED]: On Tue, 11 Oct 2005 11:45:03 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Jeff Poskanzer, now *he* has a spam problem. He gets a few million spams a day: URL: http://www.acme.com/mail_filtering/ . It is a bit like termites. If we don't do something drastic to deal with spam, the ruddy things will eventually make the entire Internet unusable. the three keys to me are: 1. flipping to a digital id based email system so that the sender of any piece of mail can be legally identified and prosecuted. If every piece of anonymous email disappeared that would go a long way to clearing up spam. Let those sending ransom notes, death threats and hate mail use snail mail. As a second best, correspondents are identified by permission/identity/encryption keys given to them by their recipients. The first part seems rather expensive and I'm not sure it would help. Is spam illegal? I don't see how it can be. I mean, those messages are annoying, but not that annoying. I get unsolicited email that I actually want often enough to want to avoid gumming it up in legal issues. The second part seems like it would be annoying for the recipients and would make just sending ordinary email more complicated. 2. flipping to a sender pays system so that the Internet does not subsidise spam. This is very promising. Our ISPs should put limits on how much email we can send. The limits should be rather insane, nothing that any nonspammer would ever come close to, but low enough to stop spam dead. If we want to send more than that, we'd better be charged extra. We could make each mail server responsible for the spam that it sends out. It seems that currently mail servers are swamped and spending big money on handling the vast loads of spam that gets pumped into them from other mail servers, so I'm sure they wouldn't mind having a rule like: Refuse to allow email to be transported from any server that spews more than 50% spam. Servers could be audited occasionally to check if they are spammers. I don't know exactly how spammers send spam, but a rule like that would sure stop ISPs from allowing any one person to send a thousand emails a day. In fact, if 99% of the email sent is spam, then we can safely assume that the proper email traffic is 1/100th of what it is now. We just have to close the valves a little. Mail servers could have an upper limit on how much they will transfer each day to force restrictions throughout the system and finally to the individual emailer. I'd rather have my mail server give me an error message saying that I've sent too much email every once in a while than have the entire Internet clogged with spam. [snipped third key] -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Wednesday 12 October 2005 04:37 pm, Roedy Green wrote: It is a bit like termites. If we don't do something drastic to deal with spam, the ruddy things will eventually make the entire Internet unusable. the three keys to me are: 1. flipping to a digital id based email system so that the sender of any piece of mail can be legally identified and prosecuted. If every piece of anonymous email disappeared that would go a long way to clearing up spam. Let those sending ransom notes, death threats and hate mail use snail mail. As a second best, correspondents are identified by permission/identity/encryption keys given to them by their recipients. Well, that certainly won't accomplish much -- not without a world government, anyway. Much (maybe most) of the spam I receive is international (from Russia, Japan, Southeast Asia, the Middle East, Africa, even the Phillipines). Most of it is also already illegal, so new legislation will certainly make no difference. The only thing you buy with an authentication system is that you can filter out the problems at the ISP or on the uploading side, thus saving a lot of bandwidth. But it would have to be very widely accepted to actually reduce spamming. Now, of course, spammers are also hitting web forms and blogs and other protocols besides e-mail. 2. flipping to a sender pays system so that the Internet does not subsidise spam. Then I won't be posting on the Python list anymore, I can assure you. This would chill a lot of the purposes for which email is ideal. 3. Mail is not transported without prior permission. The receiver can turn that permission on and off any time he chooses. This is basically an automated version of what Zaep does where the sender is not consciously aware of the permission-getting step. Well, this is already happening at the level of my mail client. I gather you have something more centralized in mind? -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Gordon Burditt wrote in news:[EMAIL PROTECTED]: Does the language allow Javascript to open a new window? Does the language allow Javascript to trigger a function when a window is closed? I believe the answer to both questions is YES. Then it is possible to have a page that pops up two windows whenever you close one. This was a problem, but modern browsers implement Javascript in such a way that it requires permission from the user before it will open a new window. If it can reveal my email address to any web site, it's a bug. If it can access or alter my personal files or address book, it's a bug. If it can generate hits on web sites other than that specified in the HTML, it's a bug. If it can open sockets, it's a bug. If it can look at or set cookies stored on my system, it's a bug. If it can look at or alter the list of previously visited URLs, it's a bug. All of those things seem like major problems except the bit about cookies. What possible harm can reading and setting cookies do? I had always thought they were carefully and successfully designed to be harmless. That's not personal information in your cookies. That information is set by websites for the sole purpose of being read by websites. Plus, I'm pretty sure that browsers have always allowed us to disable cookies. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Brendan Guild [EMAIL PROTECTED] writes: This was a problem, but modern browsers implement Javascript in such a way that it requires permission from the user before it will open a new window. Not really true, it's easy to defeat that, and also generally the pop-up blocker only blocks window.open on load events. JS can usually still open windows when you mouse over something. All of those things seem like major problems except the bit about cookies. What possible harm can reading and setting cookies do? I had always thought they were carefully and successfully designed to be harmless. That's not personal information in your cookies. That information is set by websites for the sole purpose of being read by websites. If you have a cookie from site ABC on your system, that shows you visited site ABC sometime in the past. That is personal information all by itself, that shouldn't be revealed (including to site ABC) without your permission. And that doesn't even begin to address web bugs. If the JS from site ABC can also read cookies set by unrelated site XYZ, that's an absolute disaster. It can steal login credentials and anything else. MSIE actually had a bug of that type a few years ago. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Does the language allow Javascript to open a new window? Does the language allow Javascript to trigger a function when a window is closed? I believe the answer to both questions is YES. Then it is possible to have a page that pops up two windows whenever you close one. This was a problem, but modern browsers implement Javascript in such a way that it requires permission from the user before it will open a new window. An infinite loop of asking permission is *ALSO* a denial-of-service attack. And I don't believe that the limitation applies in all circumstances. This seems to be a feature of the *language*, not only the implementation. If it can reveal my email address to any web site, it's a bug. If it can access or alter my personal files or address book, it's a bug. If it can generate hits on web sites other than that specified in the HTML, it's a bug. If it can open sockets, it's a bug. If it can look at or set cookies stored on my system, it's a bug. If it can look at or alter the list of previously visited URLs, it's a bug. All of those things seem like major problems except the bit about cookies. What possible harm can reading and setting cookies do? I had Javascript may be able to set cookies even if they are turned off by the normal mechanism of setting cookies. Even if that isn't the case, cookies are supposed to be domain-specific and a cookie from site A (which might have a session ID for an active login session, or login credentials for site A) should not be sent to site B. Javascript can apparently make its own URLs and send anything it gets its hands on to any site it wants to. The existence of a cookie from site A shouldn't be revealed at all to site B (or to Javascript from site B), regardless of what it contains. always thought they were carefully and successfully designed to be harmless. That's not personal information in your cookies. That Some websites *DO* put personal information in cookies. They don't all just use randomized session identifiers. Some of them store login credentials for a site (not just a currently active session, but permanent login credentials. That might not be personal the same way a SSN or credit card number is, but you could still do damage with it). A lot of the popularity of Javascript comes from the ability to steal information from the client computer that normal HTML does not give access to (e.g. screen/window size, email address, IP address as seen by the client (because of NAT and proxies, might not be the same IP as seen by the server), MAC address, browsing history, Windows serial number, Pentium CPU serial number, etc.) information is set by websites for the sole purpose of being read by websites. *BY THE WEBSITES THAT SET THEM*, not by all websites. The domain parameter for setting cookies has been in there since the beginning of the standard for cookies. If a marketer wants a piece of information, then I don't want him to have it, even if it's something like I visited page X and then went to page Y even if there's no identification of who I is. Plus, I'm pretty sure that browsers have always allowed us to disable cookies. I'm not sure that you can disable Javascript from reading cookies from other sites while allowing Javascript to read cookies from the site it came from on all browsers. Gordon L. Burditt -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
[EMAIL PROTECTED] (Gordon Burditt) writes: I'm not sure that you can disable Javascript from reading cookies from other sites while allowing Javascript to read cookies from the site it came from on all browsers. Javascript is not supposed to be able to read cross-site cookies. It's bad but it's not THAT bad. There was an MSIE bug that allowed reading other sites' cookies but it was correctly considered a horrendous security breach and it was fixed quickly after discovery. It caused a big fire drill where I was working at the time of the incident. We had to write a special ActiveX control to protect our cookie info until the browser patch went out. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In article [EMAIL PROTECTED], Paul Rubin http://[EMAIL PROTECTED] wrote: Roedy Green [EMAIL PROTECTED] writes: Next Mr. Phish had to present his passport etc when he got his Thawte ID. Now Interpol has a much better handle on putting him in jail. He can't repudiate his phishing attempt. Any underage drinker in a college town can tell you a hundred ways to get sufficient fake ID to get around that. Most such jurisdictions get very excited, though, if that underage drinker kills someone while driving drunk. Ofttimes, that gets _real_ police attention, rather than occasional bouncer investigation. Make each recieved spam be worth a buck to the reciever, and the spammers/phishers/etc will be facing felony charges. I suspect much of the spamming would stop. Some, of course, would continue. Pyramid schemes still get proposed, but their scope is much smaller. Scott -- Scott Ellsworth [EMAIL PROTECTED] Java and database consulting for the life sciences -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Brendan Guild [EMAIL PROTECTED] writes: 2. flipping to a sender pays system so that the Internet does not subsidise spam. This is very promising. Our ISPs should put limits on how much email we can send. The limits should be rather insane, nothing that any nonspammer would ever come close to, but low enough to stop spam dead. If we want to send more than that, we'd better be charged extra. We could make each mail server responsible for the spam that it sends out. It seems that currently mail servers are swamped and spending big money on handling the vast loads of spam that gets pumped into them from other mail servers, so I'm sure they wouldn't mind having a rule like: Refuse to allow email to be transported from any server that spews more than 50% spam. Servers could be audited occasionally to check if they are spammers. Except that lots of spam doesn't *go* through the ISPs server. It's running on some Windows zombie, and delivering mail directly to the recipients server. It'll only go through the ownee's mail server if the ISP blocks outbound SMTP connections. I don't know exactly how spammers send spam, but a rule like that would sure stop ISPs from allowing any one person to send a thousand emails a day. And that would work if spammers needed an ISPs permissions to send email. But they don't. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Steven D'Aprano [EMAIL PROTECTED] writes: On Tue, 11 Oct 2005 14:27:30 +, axel wrote: I don't know how much spam other people receive but on one account I hardly receive any as I reserve it for friends and business. On another I had about 40 spam messages which took all of ten seconds to delete. Hardly a serious matter. Can I remind you that spam is approximately 70% of all email traffic these days? Most of that is blocked by the ISPs, but even so you are obviously one of the lucky few. 95% - 99% of all email, not 70% (just ask your ISP). A large percentage of the cost of email is the cost of getting rid of SPAM; and that cannot happen without colleteral damage in the form of lost valid email, not just because of improper filtering but also because the more layers are there to touch the email the bigger the chances that it does not arrive. My work email address, on the other hand, is another story. We run a two layer defence: blocking blacklisted addresses at our mail server, and spam assassin at the individual user level. Even with that, I get about 100 spams a day delivered into my inbox, although many of those are addressed to generic email addresses which are automatically forwarded to me. Same here: Sun probably tosses 99% of the email directed at me, yet I get well over 100 spams/day. Casper -- Expressed in this posting are my opinions. They are in no way related to opinions held by my employer, Sun Microsystems. Statements on Sun products included here are not gospel and may be fiction rather than truth. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Casper H.S. Dik [EMAIL PROTECTED] writes: Steven D'Aprano [EMAIL PROTECTED] writes: Can I remind you that spam is approximately 70% of all email traffic these days? Most of that is blocked by the ISPs, but even so you are obviously one of the lucky few. 95% - 99% of all email, not 70% (just ask your ISP). A large percentage of the cost of email is the cost of getting rid of SPAM; and that cannot happen without colleteral damage in the form of lost valid email, not just because of improper filtering but also because the more layers are there to touch the email the bigger the chances that it does not arrive. I'd like to take this opportunity to correct myself. I said that I (and another poster) didn't have a spam problem. That's wrong. We don't *appear* to have a spam problem, but that's just an illusion. Our ISPs are spending money - as indicated by Mr. Dik - on filtering spam. They're also spending money to deal with complaints about spam from their customers - in both senses of the sentence, and to pay for the bandwidth the spam is eating up. The bulk providers they buy their bandwidth from also have higher costs to provide bandwidth for spam. These costs are passed on to us. So while we may not have an obvious spam problem, we have one in the sense that spam takes money from our pockets. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Tue, 11 Oct 2005 11:45:03 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Jeff Poskanzer, now *he* has a spam problem. He gets a few million spams a day: URL: http://www.acme.com/mail_filtering/ . It is a bit like termites. If we don't do something drastic to deal with spam, the ruddy things will eventually make the entire Internet unusable. the three keys to me are: 1. flipping to a digital id based email system so that the sender of any piece of mail can be legally identified and prosecuted. If every piece of anonymous email disappeared that would go a long way to clearing up spam. Let those sending ransom notes, death threats and hate mail use snail mail. As a second best, correspondents are identified by permission/identity/encryption keys given to them by their recipients. 2. flipping to a sender pays system so that the Internet does not subsidise spam. 3. Mail is not transported without prior permission. The receiver can turn that permission on and off any time he chooses. This is basically an automated version of what Zaep does where the sender is not consciously aware of the permission-getting step. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On 12 Oct 2005 01:43:32 GMT, John Bokma [EMAIL PROTECTED] wrote or quoted : So let's say I decide to send an email to Donald Knuth. :-) I did write him, snail mail, and he responded giving us permission to rewrite any of the algorithms in his famous set of books in to Java. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On 09 Oct 2005 14:06:20 -0700, Paul Rubin http://[EMAIL PROTECTED] wrote or quoted : That's the worst of all. I certainly don't want my mail reader opening network connections to arbitrary places when I read my mail. I have no willingness at all to reveal my mail reading habits or IP address to everyone who sends me email. Obviously you can't trust anything code-like that arrives from strangers. It is an extension of the law Mommy laid down not to take candy from strangers. However, formatted text is not code. Pictures are not code. It is unfair to tar them with the brush of JavaScript or the goofy things Outlook does with enclosures. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 9 Oct 2005 21:53:52 +0200, Dr.Ruud [EMAIL PROTECTED] wrote or quoted : Don't think that that is true for everybody. For example not for people that are behind central filters that already cope with common spam. The variants of the Nigerian spam are getting cleverer and cleverer to get though the filters. I can't always immediately recognise them. No wonder the spam filter gets fooled too. We victims of spam collectively are about the silliest of victims imaginable. We provide a FREE service to the spammers to torment us with. WE SUBSIDISE THEM. It costs them almost nothing to send a spam, and even at the weakest response percentages they still make money. It is almost like providing ladders and setting out cookies and milk for the burglars. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.java.programmer Mike Meyer [EMAIL PROTECTED] wrote or quoted: Tim Tyler [EMAIL PROTECTED] writes: In comp.lang.java.programmer Mike Meyer [EMAIL PROTECTED] wrote or quoted: Roedy Green [EMAIL PROTECTED] writes: Read my essay. http://mindprod.com/projects.html/mailreadernewsreader.html I talk around those problems. Virus writers will love the ability to change peoples address books remotely. Since - in Roedy's essay - messages are digitally signed, authority to advise about any email address updates would presumably be confined to those people with access to the sender's private key. It's not confined to just people - software can do this as well. In particular, you should expect that the users mail agent will have to have access to the key, so it can automatically send out the change of address notice when the user changes their address (it actually needs it to send any mail). Viruses regularly make users mail agents do thing. Change my address becomes much more entertaining when that triggers sending out change of addresses notices to everyone in the address book. More likely, though, there'll be an API for getting the key so that users can change mail agents without invalidating the public key that everyone they correspond with has for them, and the virus will just use that API. Viruses can mail out change of address messages to everyone in the compromised machine's address book today. Of course, viruses don't bother doing that - since it's stupid and pointless. If you've compromised someone's machine there are typically lots more rewarding things to do with it than spoof change-of-address notices. Top of the cracker's list seems to be: * Attack organisations; * Relay spam; * Attempt to compromise other machines; -- __ |im |yler http://timtyler.org/ [EMAIL PROTECTED] Remove lock to reply. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Mon, 10 Oct 2005 08:58:42 +1000, Steven D'Aprano [EMAIL PROTECTED] wrote or quoted : Sheesh Roedy, to listen to you go anyone would think that human communication was impossible before HTML email was invented. People got along fine wearing untanned moosehides too. I don't see any advantage in wearing a hair shirt. That is an unnatural way to talk. I know hundreds of people who would have not the tiniest clue what that email meant. You are indeed fortunate to have landed such a wife. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Wed, 12 Oct 2005 21:44:22 GMT, Roedy Green [EMAIL PROTECTED] wrote: [...] Obviously you can't trust anything code-like that arrives from strangers. It is an extension of the law Mommy laid down not to take candy from strangers. However, formatted text is not code. Pictures are not code. It is unfair to tar them with the brush of JavaScript or the goofy things Outlook does with enclosures. http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx Summary: a buffer overflow problem in Microsoft's JPEG redering library, used my almost all Windoze email and web clients, would allow an attacker to execute any arbitrary code he wished on your computer simply by tricking you into viewing a doctored JPEG image. Since solved (this problem is _so_ last year, dahling), but it belies your assertion that pictures are not code. Regards, -=Dave -- Change is inevitable, progress is not. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Mon, 10 Oct 2005 08:49:32 +1000, Steven D'Aprano [EMAIL PROTECTED] wrote or quoted : Oh gosh, pictures of a new house. Why didn't you say so??? If you're sending pictures named my_new_house1.jpg etc then OF COURSE they have to be imbedded in a HTML email, otherwise how could anyone know what they were? I suppose your subscribe to the shoebox theory of picture handling. Just dump them in a box. It is OBVIOUS what they are. Go back to them years later, and you would be surprised how baffling they can be, or if the next generation wants to understand them. You suggest there is something nefarious about wanting to caption and share images by email. Why NOT? -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Mon, 10 Oct 2005 00:42:18 +0200, Stefaan A Eeckels [EMAIL PROTECTED] wrote or quoted : I don't understand that attitude. Don't we want email that has dancing bears, cute little videos, musical tunes, animated waving hands, sixty fonts, and looks like it's been done with crayolas? Good grief, man, think like a three year old! that excuse could also be used to explain why you have not cracked a book since high school. The same tools that create dancing bears can do a UML diagram. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 20:06:34 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Nah, I've just know people who spend a lot of time - and money - dealing with spam, and we've discussed these issues at great length. You haven't proposed anything that hasn't been proposed before, and rejected for various reasons. As if what we are living with now were preferable to what I propose. It is inertia. It is herd mentality that dare not leap out of the current rut. It is not a particularly difficult technical problem. It is figuring out how to get people to switch over. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 9 Oct 2005 16:42:02 +0200, Stefaan A Eeckels [EMAIL PROTECTED] wrote or quoted : http://mindprod.com/projects.html/mailreadernewsreader.html It's gone :-) arghh. try http://mindprod.com/projects/mailreadernewsreader.html -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Mon, 10 Oct 2005 01:33:43 +1000, Steven D'Aprano [EMAIL PROTECTED] wrote or quoted : ...is pretty confusing - because public key is a term with a technical meaning in cryptography - and a public key really *is* public. The term you want is wrong, not confusing. In encryption the key you give others to encrypt messages to you is called the public key. It is not public in the sense of everyone knows it. What term do you suggest? -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 19:25:46 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : The downside is that I have no idea how many people try to contact me out of the blue, or from an address other than the one I sent mail to, but don't bother to answer the response. This is why I wanted a protocol where that was automated. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 19:25:46 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Right. Nobody sends email to addresses that come off business cards, or off a web site, or Nowadays website email addresses are becoming rarer. Instead you fill in a form to initiate your conversation. In a business card exchange both parties might set up a permission for the other, so they are not exactly strangers. There are some people who naturally get mail from the general public, e.g. newspaper editors, salesmen, me. However, if you block a sufficiently high percentage of spam, the spam industry will go away and these people will be the natural beneficiaries. You don't need 100% spam blocking to effectively solve the spam problem. You just have to make spam uneconomic. There was an analogous problem with telephone spam. It was even easier for the telepest to get addresses, just add one. That was solved by legal means. It could come back as long distance rates drop and some country harbours them. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 23:04:49 -, [EMAIL PROTECTED] (Gordon Burditt) wrote or quoted : Read my essay. http://mindprod.com/projects.html/mailreadernewsreader.html I talk around those problems. It requires a fresh start. that should read: http://mindprod.com/projects/mailreadernewsreader.html -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 23:04:49 -, [EMAIL PROTECTED] (Gordon Burditt) wrote or quoted : I think one necessary function of email and USENET is that it should allow you to SAFELY communicate with strangers or, worse, people you know but do not trust at all, Yes, but with spam ANY communication with an unwanted stranger is a nuisance. There are two kinds of stranger: 1. ones you want to talk to 2. ones you don't. How can you sort people? 1. ones that appear to be trying to sell something 2. ones that others have said were pests. 3. ones you have given temporary/special permission to contact you --- a code word in a personal ad or newsgroup post. 4. Ones who can convince you of their case in a single sentence. 5. Ones who have a reputation as non-spammers (by some sort of consumer reports bureau that issues digital ids.) 6. Ones you have rejected in past (aided by digital ids expensive enough people won't change them like underwear). -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 20:19:46 +1000, Steven D'Aprano [EMAIL PROTECTED] wrote or quoted : Likewise I avoid emails that are broken. If it looks like it will contain web-bugs, javascript exploits, or badly formatted unreadable text, then I avoid any mail client that can't display it in plain text. And by looks like, I mean contains any HTML. That is overreacting. All you need is a something that refuses to run code. There is no need to ignore the formatting. I have well meaning friends who send me rather syrupy emails, formatted. I don't run any enclosures, but I look at the pictures and the message. They are not spam. If people like sending such messages to each other it is not our business to interfere. On the contrary. Our job it help people send arbitrary messages to each other as easily as possible. Censoring content and style is none of our business. Our job is to help get messages through reliably, safely and efficiently. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Mon, 10 Oct 2005 09:35:58 -0700, Alan Balmer [EMAIL PROTECTED] wrote or quoted : And they don't know about attachments? Attachments are geeky kludge. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 06:28:04 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : What makes you think I don't have a copy of Opera? Just so happens I've got a registred copy on my newest computer. Then try out the feature. Click View | style | user My copy of Opera doesn't have that menu entry. I suspect you're making platform-specific suggestions. Because you did not seem to be aware of the Opera features. I don't know what version you have or what platform you are using. The only one I can help you with is Opera 8.5 for Windows. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 06:32:07 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Formatted spam can include pictures of words. That's a common spam tactic - send a multipart/alternative with a text part that look like a letter from aunt jane - and mention that you're sending a picture. The picture part is basically a jpeg of a flyer for the spam companies product. Such a jpg would have a lot more sharp edges than a usual photo. Also you tend to have areas of just two colours. Some edge detecting software might have a go at it. However, my rule of thumb is I would not accept photos from the general public, only from a subset of my correspondendents. That makes a photo a strong spam indicator. Then there are small corporate logos, which are innocuous. Spamnix does not have such a filtering rule. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Wed, 12 Oct 2005 21:46:12 +, Tim Tyler wrote: Viruses can mail out change of address messages to everyone in the compromised machine's address book today. Of course, viruses don't bother doing that - since it's stupid and pointless. If you've compromised someone's machine there are typically lots more rewarding things to do with it than spoof change-of-address notices. Yes. But erasing hard drives is stupid and pointless, and viruses written by digital vandals do exactly that. Viruses *these days* are mostly written by criminals looking to make money, not criminals looking to do the equivalent of smashing your windows and running away. Suppose I wanted to gather industrial espionage about, oh, say Roedy Green. If my virus could impersonate him, I could tell everyone in sight that his email has changed to [EMAIL PROTECTED] (or wherever). I would harvest his email, forward it on to him so he doesn't even notice, and sell the data to the highest bidder. Or use it for blackmail. Or sell it to companies who want to buy demographic and purchasing information (I see he has bought seven books from Amazon this month...). If you think this is too ridiculous for words, think of this: how valuable to Steve Ballmer and Bill Gates do you think Google's internal emails would be? Information is power, and power makes money. -- Steven. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
However, formatted text is not code. HTML is much more than formatted text. Pictures are not code. It is unfair to tar them with the brush of JavaScript or the goofy things Outlook does with enclosures. If you take all the dangerous stuff out of HTML, like: Links Javascript Forms References to other files you'd have very little left. I suggest that for formatted text, TROFF would be a better start. Gordon L. Burditt -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green wrote: snip stuff off topic for comp.lang.c Can all of you please take comp.lang.c out of this thread (and all its sub-threads, since it is totaly off topic and NONE of the people on this thread are posting to anything else on comp.lang.c so I doubt any of you are reading it here. -- Flash Gordon Living in interesting times. Although my email address says spam, it is real and I read it. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
I think e-mail should be text only. What if, instead of that crap Outlook produces, which is a mishmash of malformed html, Javascript viruses, self-installing enclosures etc. It were replaced by a rich text that were something like a CSS-style HTML, validated, and preparsed, and compacted for rapid rendering. It would have no hooks in it for viruses or code launching, though it would have clearly marked hypertext links. The question I am getting at is what is bugging you the most? 1. spam which is often associated with formatted mail 2. Trojans that exploit MS email. 3. cutsie pie dancing bears 4. sloppy implementation 5. slow email downloads 6. Puritanical objection to any variation in colour and font. It is unmanly. 7. want it impossible to embed images, not just for you but for everyone. No one has a legitimate interest to embed images. Let us say your answer is all 7. My response is the solution is not to revert to plain text for email. It won't happen. The solution is to move forward and fix the implementations. It is one thing to demand all mail sent to you have no formatting, but quite another to demand all mail sent by anyone to anyone have no formatting or embedded images. I think a modern email system should let your correspondents automatically know of your eccentricity so that mail will automatically be stripped to the bone before sending it to you. My ISP has this quirk and gets irate if I ever slip and send him a formatted mail. I would love it if Eudora remembered that for me and automatically prevented me from doing that. Formatted email has quite legit functions. For example the Health Action Network Society has an optional mailing list that will let you know of any upcoming events relevant to alternative health. The mail looks like a little poster for the event. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Sun, 09 Oct 2005 20:06:34 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Nah, I've just know people who spend a lot of time - and money - dealing with spam, and we've discussed these issues at great length. You haven't proposed anything that hasn't been proposed before, and rejected for various reasons. As if what we are living with now were preferable to what I propose. Nope. Any of the rejected proposals would be better than what we have now. It is inertia. It is herd mentality that dare not leap out of the current rut. It is not a particularly difficult technical problem. It is figuring out how to get people to switch over. Yup, you solved an easy problem - designing a spam-proof email system. That's been done any number of times. The hard part is a deployment strategy that will actually get the world to transition to such a system. That's why earlier nearly identical proposals got rejected - nobody could come up with a workable transition plan. Without a transition plan, a better email system is only of academic interest - and not even much of that at this late date. And yes, it's just inertia. Sort of like why the world stays in it's orbit is just inertia. If you could get enough people to agree on a solution and switch to it at the same time, you'd be done. But enough is everyone who uses email, so realistically you need a plan - and a system - that lets things interoperate during the transition. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Sun, 09 Oct 2005 06:32:07 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : Formatted spam can include pictures of words. That's a common spam tactic - send a multipart/alternative with a text part that look like a letter from aunt jane - and mention that you're sending a picture. The picture part is basically a jpeg of a flyer for the spam companies product. Such a jpg would have a lot more sharp edges than a usual photo. Also you tend to have areas of just two colours. Some edge detecting software might have a go at it. It's probably possible. No one has done it yet. However, my rule of thumb is I would not accept photos from the general public, only from a subset of my correspondendents. That makes a photo a strong spam indicator. But you also said (in [EMAIL PROTECTED]): Censoring content and style is none of our business. Spam is all about censoring content. But you're proposing censoring style to deal with pictures of words. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Sun, 09 Oct 2005 19:25:46 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : The downside is that I have no idea how many people try to contact me out of the blue, or from an address other than the one I sent mail to, but don't bother to answer the response. This is why I wanted a protocol where that was automated. Um - I don't recall seeing anything in you plan that would provide information I'm missing. I'm sure you could tweak the software to collect it once it were in place. But I could do the same. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Sun, 09 Oct 2005 19:25:46 -0400, Mike Meyer [EMAIL PROTECTED] wrote or quoted : You don't need 100% spam blocking to effectively solve the spam problem. You just have to make spam uneconomic. There are good reasons to doubt this. Most notably, there's no proof that spam is economic now. There's also evidence that non-trivial percentages of spam are more a form of ddos attack than any real attempt to send mail. There was an analogous problem with telephone spam. It was even easier for the telepest to get addresses, just add one. That was solved by legal means. It could come back as long distance rates drop and some country harbours them. Just making it illegal won't do anything. Most spam today is the result of illegal activity, and is part of an illegal or semi-legal activity even if you ignore that. You've got to convince the spammers that large men with guns will show up on their doorstep if they keep it up. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
uOn Wed, 12 Oct 2005 22:02:23 GMT, [EMAIL PROTECTED] (Dave Hansen) wrote or quoted : Summary: a buffer overflow problem in Microsoft's JPEG redering library, used my almost all Windoze email and web clients, would allow an attacker to execute any arbitrary code he wished on your computer simply by tricking you into viewing a doctored JPEG image. Since solved (this problem is _so_ last year, dahling), but it belies your assertion that pictures are not code. By your definition all socket communications contains code because of the existence of buffer overrun bugs -- probably deliberately put there by unscrupulous employees. The pictureness is not at fault. MS was at fault. No wonder the community has failed to solve spam with attitudes like that -- extreme naysaying, misplacing the source of the problem, and calling each other dahling is bound to get everyone out of a problem-solving mode. You probably were all told the story of the three sillies as a child about people who wept themselves to inaction worrying imagined futures rather than dealing with the realities of the present. I think fretting about minutiae, and the desire for a perfect ant-spam solution has blocked getting on with a reasonable solution. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Wed, 12 Oct 2005 23:27:26 +0100, Roedy Green [EMAIL PROTECTED] wrote: On Sun, 09 Oct 2005 23:04:49 -, [EMAIL PROTECTED] (Gordon Burditt) wrote or quoted : I think one necessary function of email and USENET is that it should allow you to SAFELY communicate with strangers or, worse, people you know but do not trust at all, Yes, but with spam ANY communication with an unwanted stranger is a nuisance. !-- etc -- Roedy, I would just _love_ to see the response from the industry when you tell them they should dump their whole mail infrastructure, and switch over to a whole new system (new protocols, new security holes, new problems start to finish). I gather that's the gist of the suggestion, a new protocol with built in public key (a fine, well known, accepted term, IMHO it doesn't need changing) cryptography and signature support? IMAP is in many ways better than POP3, but you would be surprised at the weight of an accepted standard I think. -- Ross Bamford - [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Wed, 12 Oct 2005 21:46:12 GMT, Tim Tyler [EMAIL PROTECTED] wrote or quoted : Viruses can mail out change of address messages to everyone in the compromised machine's address book today. Of course, viruses don't bother doing that - since it's stupid and pointless. A virus is interested in the address book mainly if there as a way it can send itself to other machines, get at their address book in a fission explosion and spread without human intervention. The key that makes that possible is Microsoft's features for running self-executing code in emails. That is the problem. It has nothing to do with formatting or pictures. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Thu, 13 Oct 2005 09:12:46 +1000, Steven D'Aprano [EMAIL PROTECTED] wrote or quoted : Suppose I wanted to gather industrial espionage about, oh, say Roedy Green. If my virus could impersonate him, I could tell everyone in sight that his email has changed to [EMAIL PROTECTED] (or wherever). I would harvest his email I would say by extrapolating the problem of spam and snooping that the next level of email software needs to concentrate on the following: 1. routine and transparent encryption. 2. making spam no longer economic. Blocking all spam is, even in theory, impossible. I sometimes read a message and am ambivalent myself about whether I wanted to read or receive it. The key is to provide efficient, transparent spam solutions. They can be layered to filter higher and higher percentages of mail depending on how big your spam problem is. 3. prevent phishing. When PayPal sends you an email, you want to know for sure it really is from PayPal. This means corporate users at least will all have digital ids, and all emails will be digitally signed. 4. status tracking. Unless blocked by the receiver, the sender knows if his message has been receiveived/read. 5. making it impossible for any incoming email to mount any sort of attack. the only parts the email software processes are the data parts. Any enclosed programs must be explicitly installed. The email software would warn if any code were not digitally signed with proper certificate to identify the author. Especially with spam, there are no perfect solutions, but at least we could do many times better than what we are living with and put the spammers out of business. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] wrote: On 12 Oct 2005 01:43:32 GMT, John Bokma [EMAIL PROTECTED] wrote or quoted : So let's say I decide to send an email to Donald Knuth. :-) I did write him, snail mail, and he responded giving us permission to rewrite any of the algorithms in his famous set of books in to Java. Like I quoted, he does even get (some) email (printed out that is) :-). But I think snail mail is better. -- John Small Perl scripts: http://johnbokma.com/perl/ Perl programmer available: http://castleamber.com/ I ploink googlegroups.com :-) -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: [...] Especially with spam, there are no perfect solutions, but at least we could do many times better than what we are living with and put the spammers out of business. A partial solution to spam, or at least to pollution of Usenet newsgroups, would be to STOP POSTING THIS STUFF TO NEWSGROUPS WHERE IT'S NOT RELEVANT. There are several newsgroups that deal with e-mail abuse. This discussion isn't being posted to any of them. Please stop. -- Keith Thompson (The_Other_Keith) [EMAIL PROTECTED] http://www.ghoti.net/~kst San Diego Supercomputer Center * http://users.sdsc.edu/~kst We must do something. This is something. Therefore, we must do this. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Links Javascript Forms References to other files the only piece of that particularly dangerous is JavaScript. So long as you have a scheme to unmask where links are really going links are no more dangerous than they are in browser. Browsers don't read unsolicited web sites. Email readers do, however, read unsolicited email, and email from downright hostile correspondents. And I consider web bugs and similar tracking methods to be a danger for something that's supposed to be ONLY formatted text. Even a form is not dangerous. You have to fill it in and hit submit. So where does the submitted data GO? And there's all kind of information in there about what software I'm running. Gordon L. Burditt -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
I would say by extrapolating the problem of spam and snooping that the next level of email software needs to concentrate on the following: 1. routine and transparent encryption. OK, but the Feds are really going to hate that. 2. making spam no longer economic. Blocking all spam is, even in theory, impossible. I sometimes read a message and am ambivalent myself about whether I wanted to read or receive it. The key is to provide efficient, transparent spam solutions. They can be layered to filter higher and higher percentages of mail depending on how big your spam problem is. One way of making spam non-economic would be making it difficult to use throw-away identities. If I block by someone's identity, it stays blocked. 3. prevent phishing. When PayPal sends you an email, you want to know for sure it really is from PayPal. This means corporate users at least will all have digital ids, and all emails will be digitally signed. I'm assuming that email is supposed to be useful and usable for *SAFELY* conducting a conversation (or negotiations) with someone out to kill you or steal from you. (Consider union vs. management, any husband vs. his ex-wife, the IRS vs. everyone, whistleblower vs. employer, etc.) 4. status tracking. Unless blocked by the receiver, the sender knows if his message has been receiveived/read. I consider this an unacceptable risk to the receiver, unless the acknowledgement is manually initiated. It also risks a lot of confusion regarding what constitutes read, especially if the user saved it into a file without displaying it. I'm assuming here that there are some people (e.g. George W. Bush) who will attempt to try to turn an IP address into a geographic location and launch missiles at it when he finds out Osama Bin Laden read his email. At least when Osama *sends* email, he can click the send button and run like hell. 5. making it impossible for any incoming email to mount any sort of attack. the only parts the email software processes are the data parts. Any enclosed programs must be explicitly installed. The email software would warn if any code were not digitally signed with proper certificate to identify the author. In HTML, that means NO links, NO Javascript, NO forms, and NO references to other files. Reading your email should not generate hits on anything specified by the sender. Gordon L. Burditt -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Keith Thompson [EMAIL PROTECTED] wrote: There are several newsgroups that deal with e-mail abuse. This discussion isn't being posted to any of them. Please stop. This just adds to the noise, and isn't going to work. Just kill the entire thread. -- John Small Perl scripts: http://johnbokma.com/perl/ Perl programmer available: http://castleamber.com/ I ploink googlegroups.com :-) -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Wed, 12 Oct 2005 21:46:12 GMT, Tim Tyler [EMAIL PROTECTED] wrote or quoted : Viruses can mail out change of address messages to everyone in the compromised machine's address book today. Of course, viruses don't bother doing that - since it's stupid and pointless. Except with Roedy's proposal, all the targets correspondents address books would get updated automatically. It's got much the same effect as filling a change of address at the locate post office for someone. It's a nasty practical joke. But much nicer than some of the things that viruses do today. The key that makes that possible is Microsoft's features for running self-executing code in emails. That is the problem. It has nothing to do with formatting or pictures. No, that's what makes email a vector for infection. What makes using the address book - for whatever purpose - possible for viruses is having an API that allows arbitrary code to access it. But you have to have that API - your customers are going to insist that they be able to use their address book from third party applications. These days, viruses don't spread through a single vector; they use mutliple vectors, and will try them all once they've infected a machine. So you may cruse a web site that infects you, and the virus will then mail copies of itself to everyone in your address book, as well as infecting any web servers that may be running on the machine, and probing random IP addresses close to yours, and so on. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: 3. prevent phishing. When PayPal sends you an email, you want to know for sure it really is from PayPal. This means corporate users at least will all have digital ids, and all emails will be digitally signed. That won't prevent phishing, that will just raise the threshhold a little. The first hurdle you have to get past is that most mail agents want to show a human name, not some random collection of symbols that map to a unique address. Even if you do that, most readers aren't going to pay attention to said random collection of symbols. Given that, there are *lots* of tricks that can be used to disguise the signed name, most of which phishers are already using. How many people do you think will really notice that mail from John Bath, PayPal Customer Service Representative ([EMAIL PROTECTED]) isn't really from paypal? Unicode makes things *really* interesting. 4. status tracking. Unless blocked by the receiver, the sender knows if his message has been receiveived/read. Got that already. 5. making it impossible for any incoming email to mount any sort of attack. the only parts the email software processes are the data parts. Any enclosed programs must be explicitly installed. The email software would warn if any code were not digitally signed with proper certificate to identify the author. How 20th century of you. Making it impossible to send executable code as content is a major step backwards from what we've got now, and you're the last person I would have expected to do that. The solution is to run the code in a sandbox. This is an old technology, and fairly well understood. Except maybe in Redmond. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.perl.misc Roedy Green [EMAIL PROTECTED] wrote: HTML is a problem on *other* peoples crappy software as well. It wasn't designed to carry code content, but has been hacked up to do that. It seems to me it goes without saying that you cannot trust code from strangers, especially anonymous strangers. You simply don't run code sent in email except from highly trusted individuals. If you do, that is YOUR fault for being such a silly ass not the mail system's ability to deliver code. It is as stupid as running code that came as an attachment. One of the ideas I play with in my essay is that you could insist your correspondents have digital id certificate signed by Thawte or other CA attesting to their identity, thus giving you legal recourse against them if they send you spam, Trojans etc. This would slow them down with requests for permission to send. they could send only one per certificate. The cost and hassle of getting the certificate could deter tem, and uniquely identify them for blocking and public black lists. Plus being a total pain for legitimate correspondents and also expensive. I don't know how much spam other people receive but on one account I hardly receive any as I reserve it for friends and business. On another I had about 40 spam messages which took all of ten seconds to delete. Hardly a serious matter. Axel -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
[EMAIL PROTECTED] writes: I don't know how much spam other people receive but on one account I hardly receive any as I reserve it for friends and business. On another I had about 40 spam messages which took all of ten seconds to delete. Hardly a serious matter. You don't have a spam problem. I get a few thousand spams a day - which get filtered down to a handful. I don't have a spam problem. Jeff Poskanzer, now *he* has a spam problem. He gets a few million spams a day: URL: http://www.acme.com/mail_filtering/ . For anyone who runs an ISP, spam is chewing up an ever-growing percentage of their bandwidth, and a significant fraction of their staff time. They have a spam problem. But me and you, we don't have a spam problem. At most it's an annoyance. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Tue, 11 Oct 2005 14:27:30 +, axel wrote: I don't know how much spam other people receive but on one account I hardly receive any as I reserve it for friends and business. On another I had about 40 spam messages which took all of ten seconds to delete. Hardly a serious matter. Can I remind you that spam is approximately 70% of all email traffic these days? Most of that is blocked by the ISPs, but even so you are obviously one of the lucky few. My home address, which I cunningly will not give you, used to get about fifty spams a day until I changed ISPs and email addresses. That would quadruple for a week or so whenever one of my Windows-using friends would get infected by a virus. My current home address only gets about one a month, which is what I consider acceptable. My work email address, on the other hand, is another story. We run a two layer defence: blocking blacklisted addresses at our mail server, and spam assassin at the individual user level. Even with that, I get about 100 spams a day delivered into my inbox, although many of those are addressed to generic email addresses which are automatically forwarded to me. Four years ago, one of our sys admins accidentally turned off the blacklisting at the mail server. In the ten minutes it took to get it turned back on, the CEO of our company received eight hundred spams. -- Steven. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Tue, 11 Oct 2005 14:27:30 GMT, [EMAIL PROTECTED] wrote or quoted : This would slow them down with requests for permission to send. they could send only one per certificate. The cost and hassle of getting the certificate could deter tem, and uniquely identify them for blocking and public black lists. Plus being a total pain for legitimate correspondents and also expensive. First understand that you only have to get permission to send once. That carries on until revoked. Permission gives me an encryption key and permission to send mail to you. Also I envision by the time this comes into being most people will be 24-7 attached. So let's say I decide to send an email to Donald Knuth. I compose my one line introduction. I compose my email and walk away. Without further hassle on my part, either my mail will be delivered, or will be rejected or it will sit in limbo until Dr. Knuth gets time to decide. If he rejects my plea, my mail will never arrive at his site. Presumably Dr. Knuth would configure his software to accept only pleas from people with digital ids, and further to accept at most one plea from them and to remember his no for at least a year. -- Canadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] wrote: So let's say I decide to send an email to Donald Knuth. :-) -- John Small Perl scripts: http://johnbokma.com/perl/ Perl programmer available: http://castleamber.com/ I ploink googlegroups.com :-) -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: So let's say I decide to send an email to Donald Knuth. Good luck. Prof. Knuth stopped reading email years before there was a big spam problem. He uses his own version of hashcash to cut down on unimportant mail: if you want to write to him, you have to send him snail mail, which means buying and using an actual postage stamp. I do something like that, sort of. I no longer publish an email address, including on business cards and so forth. I have a contact url that I give out instead, which keeps me off mailing lists. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Paul Rubin http://[EMAIL PROTECTED] wrote: Roedy Green [EMAIL PROTECTED] writes: So let's say I decide to send an email to Donald Knuth. Good luck. Prof. Knuth stopped reading email years before there was a big spam problem. Not entirely true: My secretary prints out all messages addressed to taocp at cs.stanford.edu or knuth-bug at cs.stanford.edu, so that I can reply with written comments when I have a chance. http://www-cs-faculty.stanford.edu/~knuth/email.html And I am sure Roedy is aware of this, hence his example ;-) -- John Small Perl scripts: http://johnbokma.com/perl/ Perl programmer available: http://castleamber.com/ I ploink googlegroups.com :-) -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
Roedy Green [EMAIL PROTECTED] writes: On Sat, 08 Oct 2005 23:33:13 GMT, Rich Teer [EMAIL PROTECTED] wrote or quoted : What the hell has that got to do with HTML email? Sending photos is an example of what attachments are for. Normally you send photos to grandma with captions under each photo. That is far more convenient for the technopeasant receiver than dealing with multiple attachments. I'd like to agree, but I haven't received *ANY* properly formatted, captioned and readable list of photos in an HTML email message in a long while. What I usually get it an email message with a completely irrelevant subject -- usually a reply to a random thread that happened to include my email address in the recipient list -- with a message body as useless as: Here's a photo collection or even more useless, or empty. This and other things, that show the original poster of the particular HTML email message has _no_ intention to spend just *one* minute to properly write a readable, useful email message, tend to be the main reasons why I block all HTML email messages from non-work-related email addresses, save them in a special folder and look at them only when I really feel like spending some time to weed through the junk. -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.perl.misc John Bokma [EMAIL PROTECTED] wrote: Roedy Green [EMAIL PROTECTED] wrote: On 8 Oct 2005 23:39:27 GMT, John Bokma [EMAIL PROTECTED] wrote or quoted : Yeah, yeah, and 640K is enough for everybody. Same song, different tune. For how long. Surely attachments are a stop gap. Can you imagine people sharing images that way 100 years from now? No, but I agree with you :-) I am not using HTML myself in email, but I will when it makes things easier. Why should we wait for the future? The problems blocking easy to use photo sharing are not technological but social. Yup, agreed. Like I already wrote, if I route all HTML email to /dev/null I'll lose some customers, and some friends :-) What I find is that when I see emails which are obviously spam, I simply do not read them and delete them immediately. But then I use Pine rather than a web browser... and while some forms of HTML may be rendered, nothing is automatically pulled down. Axel -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
In comp.lang.perl.misc Tim Tyler [EMAIL PROTECTED] wrote: In comp.lang.java.programmer Steven D'Aprano [EMAIL PROTECTED] wrote or quoted: Only if your photos are so obscure and confusing that they need captions. Here's Johnny with the dog. Here is Johnny with the dog again. This one is Johnny on his own. Here is the dog. Oh look, it is Johnny with the dog again -- that's the dog on the left, in case it isn't clear. Just for a change, this is Johnny wearing a hat. It is blue with a feather in it, in case you couldn't tell from, oh I don't know, looking at the actual picture. What have you got against captions? Giving photos captions is a *very* common practice. Why not just put them on a web page? It is then possible to include thumbnails so the recipient can chose to see which ones he cares to look at in detail. It also allows the web address to be sent to several people without wasting bandwith. Axel -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sat, 08 Oct 2005 20:43:12 GMT, Roedy Green [EMAIL PROTECTED] wrote: On Tue, 04 Oct 2005 17:57:13 -, [EMAIL PROTECTED] (Gordon Burditt) wrote or quoted : HTML enables a heck of a lot of problems: web bugs in email, links to fake sites that appear as real ones in what shows up on the screen, Javascript viruses, denial-of-service attacks (pages that open two windows when you close one), etc. That is like hating all choirs because televangelists use them. I liken it more to hating all viruses because some of them install keyloggers. I take it then you avoid browsers or use Lynx? No you FIX the problems rather than wear a hair shirt. Same for email. Why should rich expressions only be permitted to those with websites. Some people use email PRIMARILY for sharing photos. And they don't know about attachments? -- Al Balmer Balmer Consulting [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On 9 Oct 2005 13:12:43 -0700, [EMAIL PROTECTED] wrote: My grandma doesn't put captions in her photo album, and she doesn't need captions on her photos in email. She doesn't need captions in the album because she will explain the pictures, at length, every single one of them, to anyone who comes within grabbing distance. Here's Johnny with the dog. Here is Johnny with the dog again. This one is Johnny on his own. Here is the dog. Oh look, it is Johnny with the dog again -- ... If your photos are so banal then only people who would recognise the people would care about them. Captions are for people who won't recognise the subject of the photo. When you send a photo of a house to Granma is she supposed to just _know_ that it your new house, or the one across the road, or the one that burnt down last week ? You might try something truly innovative, like including a line in the email that says Hi, Grandma, here's a picture of our new house. -- Al Balmer Balmer Consulting [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: Jargons of Info Tech industry
On Sun, 09 Oct 2005 00:03:05 +0200, Lasse Vågsæther Karlsen [EMAIL PROTECTED] wrote: In any case, html email is here to stay. Or perhaps I should remove html and say richly formatted, whatever that might mean in the future. But trying to keep your email world into a pure text-based no-formatting-whatsoever world, that's a fantasy bubble that is bound to burst, sooner rather than later. Deal with it. And you're calling other people control freaks! Sorry to burst *your* bubble, but no one has to deal with it. For centuries, intelligent people have managed to convey information using plain text, and they'll manage for the foreseeable future. I'm surprised that you can bring yourself to write articles in such a humble venue as Usenet. -- Al Balmer Balmer Consulting [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list