[LINK] Re: executable content vs plain data

Rick Welykochy rick at praxis.com.au
Sun Jan 20 12:50:48 AEDT 2008 

Craig Sanders wrote:

> flash videos are executable programs.   they could do anything.

Flash videos are in the same class as JPEG images: just data.

The Flash plugin to play Flash videos is an executable. If you do not
trust it, then you can block flash.


> i don't want to run random programs provided by complete strangers
> on some web site. so, i don't. if they have content that i want to
> view then i find some way to get at that content without having to run
> it...and if i can't do that, then i just give up. it's not worth the
> hassle and it's not worth the risk.

A secure browser *never* downloads and executes programs without the
user first enabling the download and installation. This is how the
plug-in installation process works.

Can you give me an example of a web site that provides a *program*
to be run by the browser?




>> The real problem: 99.9% of computer users could hardly be bothered
>> to (a) download and store the stream and (b) play it on software they
>> can trust.
> 
> so?
> 
> that's supposed to be a reason for wrapping and locking up data in some
> executable?
> 
> and it's all completely unnecessary. there are numerous data file
> formats for storing video and audio, and browsers are capable
> of displaying video data all by themselves, or with the help of
> user-installed plugins.

Flash is just yet another plug-in. Trust it or don't.
Flash video is not a video wrapped up as an executable.




>> I do not agree that sites like YouTube and the like are dangerously
>> risky. All I can conclude is that surfing the web with an insecure
> 
> i didn't say that youtube was dangerously risky. i said that the habit
> of running random executable programs from web sites was dangerously
> risky. youtube is one of several sites that encourage such risky
> behaviour.

Once again, give me but one example of a site that requests you download
and execute an executable file. That is, a file that is executable code,
not content.


> non-techs could just listen to the advice from people who are
> technically literate.

Experience shows that most people simply do not listen. This alludes
to the concept of the "Internet Dirver's Licence" which many geeks
lament.


> i really don't see any difference.  executable content is executable
> content.

I see quite a difference between content played via a plug-in and the
plug-in itself. The former is just data and the latter is an executable.

If you have the Adobe PDF Viewer installed as a plug-in, that is an
executable you presumably agreed to have installed in your browser.

When you download a PDF and view it in using the plug-in, in my dictionary
you are downloading data and viewing it with a plug-in. My dictionary
does not call this downloading executable content, since you cannot "run"
a PDF file.

I think we are quibbling over definitions. To disambiguate: please tell me
how to "run" a PDF file or a Flash video on my computer. My definition of
"run" or "execute" precludes running a PDF. There is no OS program loader for
a PDF and there is no executable (binary or bytecode) in the PDF. Same can
be said for a Flash video. For the latter, one can execute VLC and it will
load and play the video. But you cannot "run" a video in any sense, just as
you cannot "run" a JPEG or Word doc. (Although the latter makes me shiver
since it can contain embedded VB script.)


cheers
rickw



-- 
_________________________________
Rick Welykochy || Praxis Services

Once a new technology starts rolling, if you're not part of the
steamroller, you're part of the road.
      -- Stewart Brand

More information about the Link mailing list