[Fwd: FC: A sysadmin's view on HTML-Javascript email problems]

From: Eugene.Leitl@lrz.uni-muenchen.de
Date: Mon Feb 05 2001 - 22:38:04 PST


-------- Original Message --------
From: Declan McCullagh <declan@well.com>
Subject: FC: A sysadmin's view on HTML-Javascript email problems
To: politech@politechbot.com

*********
The most concise argument yet for ditching your Windows mail client:
   s/<script language="Java/w+.*?">.*?<\/script>//gis

-Declan
PS: If you don't get the not-quite-a-joke above, RTFM at:
http://www.perl.com/pub/doc/manual/html/pod/perlfaq6.html

*********

Date: Mon, 05 Feb 2001 14:35:58 -0500
To: declan@well.com
From: Larry Poos <poosld@ec.rr.com>
Subject: Re: If you forward HTML email, it could be eavesdropped
In-Reply-To: <5.0.2.1.0.20010205105538.00a686a0@mail.well.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-UIDL: f1f37b01f8629a2095bae20ab30aa34a

At 10:55 2/5/01 -0500, You Scribbled:
----[ BEGIN QUOTE ]----
:"Email wiretapping" seems a little overblown, but this is bad news.
:
:The new netiquette:
:1. Friends don't send friends HTML email
:2. Friends don't accept HTML email from friends
:3. Friends don't let friends use Outlook or Navigator to read email
:4. If you or a friend must break the above three rules, then
disable Javascript
:5. If you or a friend must break the above four rules, remove
Javascript
:code from the HTML emil you forward (ask a geek for help)
:
----[ END QUOTE ]----

Rules 1-3 should IMO become law and company policy.Numbers 4 and 5
are pipedreams for these reasons;
A. Most users (in my experiance) don't know how to disable
Javascript.
B. Most users (again in my experiance) won't remove the forwarding
address from a two line message, resulting in 50 sets of >'s and
pages of forwaring information. Why would they remove <SCRIPT> code?
C. Most users have no knowlege of HTML document layout or the
mechanics and syntax of HTML (Thank you "Frontpage" another fine
Microsoft product") so even if they wanted to remove it they
couldn't.

As to "Ask a geek for help", I got better things to do with my time.
Such as make sure the mail server stays up and also blocks the
incomming spam you all hate so much but keep forwarding, closing up
security holes and cleaning up the trojans and viri that users put
on the system by opening every attachment they get no matter who
sent it. You want to edit your email, then get your point and click
8 to 5 only body in here and take the computer training classes HR
has setup. Opps sorry I forgot, we have to make it mandantory just
to get you come to the classes, held during work hours, on the
applications you must use in your job, why would you come to an
evening or Sat. class?

Until the decision makers wake-up and demand that email aplications
reject HTML style text this "wiretap",trojan carrying, security-hole
style of email will continue to be exploited. HTML style email not
only has opened security holes but has increased the bandwidth load
by 500% because of the increased size due to the formating codes
added to the message.

As we have moved farther down the information highway I've come to
believe that the makers and shakers have forgotten the "KISS"
principle when it comes to email and browsers. Paraphrasing Thomas
H. Lipscomb in an earlier post on the "Digital Divide"; If by HTML
you must go, the underlying code you must know.

Larry D. Poos
[System Consultant]
LTAD Enterprises

E-MAIL:
(Primary) ldpoosld@ec.rr.com

************

Date: Mon, 05 Feb 2001 10:43:50 -0800
From: Lorraine King <lking@telus.net>
To: declan@well.com
Subject: Re: FC: If you forward HTML email, it could be eavesdropped
References: <5.0.2.1.0.20010205105538.00a686a0@mail.well.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UIDL: 93ce9ce8ffe6bc096a44c9213e751ecc

Declan,

Not sure how wide your reach is - maybe only geeks to whom this will be
obvious - but with NS messenger it may not be obvious to everyone that you
need to turn js *off* for messenger, but can leave it on for the NS
browser. I only use 4.6 - not dealt with by the referenced page so perhaps
I am not affected (but not taking any chances, either) - and in its
preferences, the js-for-mail option is nested under the general js option.

Declan McCullagh wrote:
>
> "Email wiretapping" seems a little overblown, but this is bad news.
>
> The new netiquette:
> 1. Friends don't send friends HTML email
> 2. Friends don't accept HTML email from friends
> 3. Friends don't let friends use Outlook or Navigator to read email
> 4. If you or a friend must break the above three rules, then disable
Javascript
> 5. If you or a friend must break the above four rules, remove Javascript
> code from the HTML emil you forward (ask a geek for help)
<snip>

-- 
Lorraine P. King                            Telephone: (604) 936-6150
ICQ#11591526                                Cellular:  (604) 723-6051
Depth in content, depth in thinking, looking at a great many
sources to get information is a dying art.     -Bonnie Bracey

************

From: mikus@bga.com (Mikus Grinbergs) To: Declan McCullagh <declan@well.com> Subject: Re: FC: If you forward HTML email, it could be eavesdropped Date: Mon, 05 Feb 2001 12:43:07 -0600

In list.poli, you wrote on Mon, 05 Feb 2001 10:55:49 -0500: > "Email wiretapping" seems a little overblown, but this is bad news. > > The new netiquette: > 1. Friends don't send friends HTML email > 2. Friends don't accept HTML email from friends > 3. Friends don't let friends use Outlook or Navigator to read email > 4. If you or a friend must break the above three rules, then disable Javascript > 5. If you or a friend must break the above four rules, remove Javascript > code from the HTML emil you forward (ask a geek for help) > > -Declan

Let me remind you of an incident which you (or somebody) publicised. (For which not even Javascript was needed!)

An individual using an anonymizer was posting messages (to various newsgroups) which criticized corporation XYZ. This criticism drew enough attention for XYZ to assign "sleuths" to the matter. The sleuths concluded the critic was an XYZ employee. To track him down, the sleuths created an innocuous image on their own webserver, but activated a "sniffer" which would record the IP-address of anyone FETCHING that image. They then replied to one of the critic's messages using an HTML email message having a subject line they hoped would arouse his interest. The body of their message included a perfectly ordinary HTML tag referencing the image's URL. The sleuths were in luck - the critic decided during lunch hour to connect to his ISP and check his private email. When the critic opened that particular message in HTML mode, the message body FETCHED (and displayed) the referenced image. The sleuths now had the IP-address (of the terminal within XYZ that the critic used), and were able to identify him.

mikus

************

------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------



This archive was generated by hypermail 2b29 : Fri Apr 27 2001 - 23:17:27 PDT