[LINK] SOH SEcurity [was: Freeview Launches In Australia]

Rick Welykochy rick at praxis.com.au
Wed Nov 26 11:56:52 AEDT 2008

Michael Still wrote:

> I think we're going to have to agree to disagree here.

I'd like to have an argument please ;)

> I dispute that its only "lusers" who use streaming 
> video for example (a large portion of Flash use) -- its hard to argue 
> that streaming videos of the recent presidential election debates 
> weren't valuable.

No one said only "lusers" use streaming video. That would be absurd.
There is nothing wrong with using streaming video. For security reasons
the facility should be built into browsers, natively. Crikies, the technology
has been around for the years or more.

I use a shell-based tool to to download streaming video and then play it
locally, uninterrupted and at the correct speed. No browser, no browser
bugs, no Flash, no crud that I cannot possibly apply a trust model to.

Requiring third party executable code to execute simply to view content
is inherently insecure. Always has and always will be.

The original web model was simple: HTML contains content descriptors
rendered by the browser. Nothing else. The browser is updated with new
facilities when new content types are available. There were howls of protest
when executable plug-ins and third party additions were added to browser
tech. For good reason.

With the simple browser scheme I describe above, you only have to trust the
browser software itself. And an open source browser is open to scrutiny.
There is a trust model you can depend upon.

Has anyone scrutinised what Flash does behind the scenes? How about what
Microsoft sends back to Redmond? Anyone getting nervous about Skype
and all that extra traffic? There wer howls of protest when it was discovered
that an supposed non-network application, MS Word, was opening sockets
back in the 90's.

These closed software solutions have an inadequate or non-existent trust
model. In the same way that Javascript, and all other executable plug-ins
and interpreted code are untrustable in your web browser. (At least with
the web model you can sometimes reverse engineer third-party crud, but that
is quite rare these days).

Myself, I'd rather trust ONE software component that cannot invoke ANY OTHER
software component. And to hell with convenience. So what if security means
it is a bit tougher to do things. That is the way security works in the
real world. Same applies in the digital world. Only more so.

> of the flaws you describe in a home router can be addressed with SSL and 
> things like TOR.

Read the PDF. I beg to differ.

> The thing is though, most people just don't care about privacy as much 
> as you do. Look at the sharing behaviours of Facebook users for example. 
> That doesn't mean you're wrong, it just means you're in the minority, 
> and should continue to expect to see services which do address the 
> desires of the majority.

Who cares whether or not I care about privacy. I am more going on about
the larger implications of *SECURITY* or lack thereof. That affects your
and my privacy, our bank accounts and much much more.

Focusing on just privacy is missing the forest for the trees, so to speak.

But yeah, I'll agree to disagree.

Did I mention Hitler, the Nazis and WW2 yet>?


Rick Welykochy || Praxis Services

You go find out what they need and I'll start coding.
      -- two geeks

More information about the Link mailing list