[LINK] Excitable Nanny & Scumware

Kevin Littlejohn darius@bofh.net.au
Tue, 04 Sep 2001 20:47:03 +1000 

>>> Malcolm Miles wrote
> On Tue, 4 Sep 2001 13:18:12 +1000, you wrote:
> 
> >On Tue, Sep 04, 2001 at 10:48:34AM +1000, Rick Welykochy wrote:
> >> Interesting. Once again, only MS/IE running on Windows can be infected
> >> with scumware. I wonder which straw will break the back of the hapless
> >> Windows user?
> 
> >one of the reasons why MS products are such security nightmares is that
> >they don't have to fix them. most people will use their software anyway,
> >no matter how bad it is.
> 
> I am not sure where you see the security hole in IE here. The user has downlo
aded and installed some music-sharing software that also hooks into IE as some 
sort of plug-in. Presumably it sits in the background monitoring received HTML 
code and adding its own little touches on the way through. No reason why a simi
lar thing couldn't be written to work with Netscape or any other browser. 

The bug is in the attitude toward such plugins, if anything.  This is a 
problem that unix shares, albeit a little bit less because of the user vs. 
root setup.  But really, if you're installing a program and it wants to hook 
into IE's renderer (or where-ever it hooks), it _should_ have to ask you for 
permission.  Just because I install a program, doesn't mean I've given it 
carte blanche to hook into the rest of my system.

Hard to blame the users for not demanding security when most techies aren't 
particularly aware of the varying ways to manage security.  Hard to blame the 
programmers when they're producing under market force pressures.  Hard to 
blame the sales droids (is my bias showing? :) when they're just out there 
trying to convince the users they want the product...

KevinL
(For the tech-heads:  http://www.erights.org/ outlines, amongst other things, 
a security system that'd allow you to manage such things.  'course, the only 
OS'es that operate in these ways are, um, arcane ;(
-- 
Internet techie                    Obsidian Consulting Group
http://www.obsidian.com.au/           darius@obsidian.com.au