[LINK] Re: executable content vs plain data

Rick Welykochy rick at praxis.com.au
Sat Jan 19 13:50:56 AEDT 2008 

Craig Sanders wrote:

> On Fri, Jan 18, 2008 at 03:26:55PM +1100, Rick Welykochy wrote:
>> How does this apply to Link? Reasoned analysis like this is
>> easily disseminated now like never before. Public opinion can
>> be better informed and force policy changes like never before.
> 
> another reason this is relevant to Link is the disturbing fact that the
> video is only available as a flash movie hosted on youtube. i.e. it's a
> program that you have to run rather than just video data in a file which
> can be played by any video player program (any player that has the right
> video codecs, of course).

The same argument can be applied to software required to view/edit thousands
of proprietary formats. It is a problem, but for a different reason.


> which means that you have to be willing to run unknown, untrustworthy,
> and untrustable executable programs in order to view it.

And how can millions of Windows users trust a software upgrade?

Do millions of Linux users audit the source code of everything they
download in binary form and run on their machines? This is not even
possible for proprietary programs like Adobe Reader, Corel and other
software.

Why would one trust Adobe/Flash less than trusting other mega corporation
software downloads?

Your rant is intellectually pure but practically unimplementable.


> or download it (which can be a difficult exercise in itself - youtube
> wants you to stream the video, not download it and view it at your
> leisure) and attempt to extract the video data from the executable.

The .FLV file format is really just a container for H.263 and H.264
video formats. Nothing executable about the video file itself. In fact,
it is *less exectuable* than an MS Word document. And we've all downloaded
and viewed those, by necessity.

You can easily obtain software that downloads and stores the Flash Video
Stream to a file.

Just as easily are video players that play Flash Video. VLC Player and
Perian for Quicktime come to mind.

The real problem: 99.9% of computer users could hardly be bothered
to (a) download and store the stream and (b) play it on software they
can trust.


> this is a serious problem with youtube and similar sites - it encourages
> dangerously risky behaviour on the part of users, most of whom don't
> know any better and, now they've got used to the "convenience" of sites
> like youtube will refuse to be convinced that it's dangerous, that there
> are better, safer ways that such sites could - and should - work.

LOL ... we threw that baby out with the bath water years ago. A usual,
you are speaking from a highly trained technical high chair and
preaching to computer illiterati who would have no clue what you are
talking about and furthermore no skills to circumvent the problem.

I talk to the illiterati all the time about such things and am
always met with a blank but more importantly uncaring stare. When
I explain the dangers further (e.g. identify theft, data theft)
the response is that they have nothing they are really worried
about on their PC. Which makes me laugh quietly to myself.

Until one gets a virus that brings the home network down, viruses
are simply not in the radar. Until one's bank account is emptied by
a crim, phishing does not apply to them. So it goes.

I do not agree that sites like YouTube and the like are dangerously
risky. All I can conclude is that surfing the web with an insecure
browser (or misconfigured Internet zone setup) using Windows and
Internet Explorer are *extremely risky* behaviour. The only solution
is to become quite technically trained, replace all insecure software
you are running with secure versions (whatever that really means)
and then drive the info superhighway with extreme caution.

This is impractical, impossible, unattainable and futile.

Five minutes watching a teen (for example) whizz around dozens of
web sites, downloading emails and merrily clicking on anything
with colour and movement will convince you of that. The fact that
they are doing this on Windows sends chills down my spine.

The real problem is not Flash. Although an annoying vector for sending
out animated adverts, easily stopped with a blocker, I do trust the
Flash and Shockwave software. Much more worrying is the ease with
which the illiterati will download and execute programs that they
could not possibly trust, or as in the case of Sears marketing,
unwittingly download executable software (spyware).

To conclude, the new subject of this thread does not apply in
the case of Flash Video. It does apply to many other types of
content, including the MS Office document formats which contain
macros and Active-X controls which contain executable VB code.

cheers
rickw


-- 
_________________________________
Rick Welykochy || Praxis Services

Once a new technology starts rolling, if you're not part of the
steamroller, you're part of the road.
      -- Stewart Brand

More information about the Link mailing list