[LINK] Re: executable content vs plain data

Craig Sanders cas at taz.net.au
Sun Jan 20 16:48:16 AEDT 2008 

On Sun, Jan 20, 2008 at 02:36:51PM +1100, Rick Welykochy wrote:
> Craig Sanders wrote:
>
>> no, flash videos are NOT just data.  they are data plus program code
>> which is executed by the flash plugin.
>
> If that is the case, I stand corrected and will accept the fact. So far,
> I have not seen any evidence of there being interpreted code in a FLV file.

it's flash, it can contain anything that any other flash program can.

in any case, where do you think the play, pause, etc controls come from?
they're not just a standard unchangeable feature of the flash plugin,
each video site can - and often does - embed their own player program
written for the flash virtual machine.


>> 2. in the case of flash and other plugins that do have to be installed
>> by the user[1], once the user has downloaded and installed the plugin
>> to view one thing, they're now at risk for EVERY web page they visit
>> afterwards.
>
> I won't argue with that. *Any* piece of code can contain bugs and
> could possibly be exploited for nefarious purposes. Solution? Turn
> off your PC, go outside and enjoy meatspace :)

meanwhile, back in the real world, a better alternative would be to NOT
conflate data and executables, and to reject attempts by corporations
(and governments, and organised crime, and others) to do so.

i used to think that one of the most absurd things about Gibson's
Neuromancer way back in the 80s was the idea of 'black ice' (security
software) that could destroy the brains of those who 'jacked in' to his
imaginary cyberspace, because "who'd be dumb enough to execute just any
old code that comes their way? especially if it was on a machine plugged
directly into their brain?". i guess i was wrong.

>>>> non-techs could just listen to the advice from people who are
>>>> technically literate.
>>> Experience shows that most people simply do not listen. This alludes
>>> to the concept of the "Internet Dirver's Licence" which many geeks
>>> lament.
>>
>> right, so that's a reason for those of us who do understand the issues
>> to sit smugly on our arses and not even bother attempting to inform
>> people?
>
> What nonsense. I tell a person all about insecurities in Windows, why
> they should not open certain emails and to *never* click on links found
> in emails. They do not listen. And I am smug. Very rich.

no, the smugness was in the implication that we should just say "they're
too dumb to ever understand" and dismiss them as ignorant, ineducable
rabble who deserve whatever they get.

> No, I am not being smug at all. If you read some of the many many rants
> I have posted to Link, ad nauseum, about various insecure practices, my
> actions back up my words: I never stop preaching about this stuff. It is
> important to me. It is important for a better running Internet. Smug?
> Nope. Persistent? Yup.

well, your comments in this thread were an exception to that.

and yes, i did notice and remember your previous position on similar
topics.  part of what i wrote was to remind you of that.


craig

-- 
craig sanders <cas at taz.net.au>

BOFH excuse #118:

the router thinks its a printer.

More information about the Link mailing list