[LINK] Re: executable content vs plain data

Craig Sanders cas at taz.net.au
Sun Jan 20 11:24:50 AEDT 2008 

On Sat, Jan 19, 2008 at 01:50:56PM +1100, Rick Welykochy wrote:
> Craig Sanders wrote:
>
>> On Fri, Jan 18, 2008 at 03:26:55PM +1100, Rick Welykochy wrote:
>>> How does this apply to Link? Reasoned analysis like this is
>>> easily disseminated now like never before. Public opinion can
>>> be better informed and force policy changes like never before.
>>
>> another reason this is relevant to Link is the disturbing fact that the
>> video is only available as a flash movie hosted on youtube. i.e. it's a
>> program that you have to run rather than just video data in a file which
>> can be played by any video player program (any player that has the right
>> video codecs, of course).
>
> The same argument can be applied to software required to view/edit
> thousands of proprietary formats. It is a problem, but for a different
> reason.

no, it's a different argument entirely.

this is a variation of the "don't run programs that you receive in
email, even if the mail headers claim to come from people you know"
argument.

proprietary data formats, while annoying etc etc, are still just data.
the user processes it in some way with existing programs on their own
computer.

flash videos are executable programs.   they could do anything.



>> which means that you have to be willing to run unknown, untrustworthy,
>> and untrustable executable programs in order to view it.
>
> And how can millions of Windows users trust a software upgrade?
>
> Do millions of Linux users audit the source code of everything they
> download in binary form and run on their machines? This is not even
> possible for proprietary programs like Adobe Reader, Corel and other
> software.
>
> Why would one trust Adobe/Flash less than trusting other mega corporation
> software downloads?

that's not the point. whether or not you do, or should, trust your OS
and/or applications providers is another issue entirely.

the point is, you not only have to trust the player software, if you
enable (or, fail to disable) executable content on your browser, you
also have to trust every web site you ever visit.

i don't want to run random programs provided by complete strangers
on some web site. so, i don't. if they have content that i want to
view then i find some way to get at that content without having to run
it...and if i can't do that, then i just give up. it's not worth the
hassle and it's not worth the risk.


> The real problem: 99.9% of computer users could hardly be bothered
> to (a) download and store the stream and (b) play it on software they
> can trust.

so?

that's supposed to be a reason for wrapping and locking up data in some
executable?

and it's all completely unnecessary. there are numerous data file
formats for storing video and audio, and browsers are capable
of displaying video data all by themselves, or with the help of
user-installed plugins.


>> this is a serious problem with youtube and similar sites - it encourages
>> dangerously risky behaviour on the part of users, most of whom don't
>> know any better and, now they've got used to the "convenience" of sites
>> like youtube will refuse to be convinced that it's dangerous, that there
>> are better, safer ways that such sites could - and should - work.
>
> LOL ... we threw that baby out with the bath water years ago. A usual,
> you are speaking from a highly trained technical high chair and
> preaching to computer illiterati who would have no clue what you are
> talking about and furthermore no skills to circumvent the problem.

they never will learn if nobody ever bothers to raise the issue.

IMO, it is the responsibility of people like me (and you) who do
understand the issues to point them out - and explain them - to people
who don't.

and not solely as an act of altruism - the net works better when it's
not contaminated by millions of virus-infected zombie machines.



> I do not agree that sites like YouTube and the like are dangerously
> risky. All I can conclude is that surfing the web with an insecure

i didn't say that youtube was dangerously risky. i said that the habit
of running random executable programs from web sites was dangerously
risky. youtube is one of several sites that encourage such risky
behaviour.



> browser (or misconfigured Internet zone setup) using Windows and
> Internet Explorer are *extremely risky* behaviour. The only solution
> is to become quite technically trained, replace all insecure software
> you are running with secure versions (whatever that really means) and
> then drive the info superhighway with extreme caution.
>
> This is impractical, impossible, unattainable and futile.

only because you set it up to be so.

non-techs could just listen to the advice from people who are
technically literate. you don't have to be able to read, understand, or
hack the code to be able to run firefox, nor do you have to be a kernel
hacker to run linux...you don't even have to be technically proficient
these days.

> Five minutes watching a teen (for example) whizz around dozens of web
> sites, downloading emails and merrily clicking on anything with colour
> and movement will convince you of that. The fact that they are doing
> this on Windows sends chills down my spine.

yes, and they're never going to know that there is any kind of problem
with doing that unless someone tells them.

and you can be sure that youtube et al aren't going to - that might
compromise their business model.


> The real problem is not Flash. 

the real problem is executable content of which flash is only one
example...as you point out, it's not the worst/most dangerous example,
but the fact that there are worse executable data formats around doesn't
excuse flash.

> Although an annoying vector for sending
> out animated adverts, easily stopped with a blocker, I do trust the
> Flash and Shockwave software. 

i don't. all software has bugs, and there are people willing to exploit
such bugs (and not just script-kiddies any more, there's big money and
organised crime involvement in malware these days).


> Much more worrying is the ease with
> which the illiterati will download and execute programs that they
> could not possibly trust, or as in the case of Sears marketing,
> unwittingly download executable software (spyware).

i really don't see any difference.  executable content is executable
content.

craig

-- 
craig sanders <cas at taz.net.au>

Avoid the Gates of Hell.  Use Linux
		-- unknown source

More information about the Link mailing list