'Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xml-dev
Subject:    Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?
From:       Peter Hunsberger <peter.hunsberger () gmail ! com>
Date:       2005-09-23 14:17:00
Message-ID: cc159a4a05092307175a71dd23 () mail ! gmail ! com
[Download RAW message or body]

On 9/22/05, Bill Kearney <wkearney@syndic8.com> wrote:
> > > Indeed. But new technologies, or new uses of existing tech, often
> > > present unforseeable risks. (ask me about
> > > beaming newton notes sometime!)
> > Yes! What about beaming newton notes?
>
> I once wrote an app that would send complex notes that had code attached
to
> their elements.
 I spent a good chunk of my early career building mail systems, staring wit=
h
mail systems for NetNorth (the Canadian end of Arpanet) then VM PROFS
gateways to various system, then finally products that did MS Mail and Lotu=
s
Notes exchange with anything to anything (the later technology eventually
made it's way into the first versions of MS Exchange Server).
 Every single mail system I worked on eventually gained the capability to
exchange some kind of scripted content and/or the ability to run a large
variety of embedded objects. I once spent an lunch hour with a gentleman
from IBM giving him the sketch of what was needed for the PROFS "user exits=
"
and six months later they showed up in the product. The demand for the
capability was so great that it resulted in the shortest cycle from spec to
implementation I've ever seen IBM complete.
 It makes sense that any time you have a basic transport that is generally
useful, people are going to want to use it to transport anything and
everything. Not acknowledging this up front and engineering for it will
eventually result in your system being replaced by something that does what
the users want. And yes, I do believe that applies to RSS, IM, etc....
 <snip/>

> Live content, scripting and unintended consequences is nothing new. Lack
of
> effective sandboxing isn't either, sad to say.
 Aye! If you're working in a sensitive environment you scan, sniff x-ray an=
d
maybe quarantine your physical mail. No reason you shouldn't expect to do
the same for sensitive computer environments.

--
Peter Hunsberger

[Attachment #3 (text/html)]

<div>On 9/22/05, Bill Kearney &lt;<a \
href="mailto:wkearney@syndic8.com">wkearney@syndic8.com</a>&gt; wrote:<br>&gt; &gt; \
&gt; Indeed.&nbsp;&nbsp;But new technologies, or new uses of existing tech, \
often<br>&gt; &gt; &gt; present unforseeable risks. (ask me about <br>&gt; &gt; &gt; \
beaming newton notes sometime!)<br>&gt; &gt; Yes! What about beaming newton \
notes?<br>&gt; <br>&gt; I once wrote an app that would send complex notes that had \
code attached to<br>&gt; their elements.&nbsp;&nbsp;</div>

<div>&nbsp;</div>
<div>I spent a good chunk of my early career building mail systems, staring with \
mail&nbsp;systems for NetNorth (the Canadian end of Arpanet) then&nbsp;VM PROFS \
gateways to various system, then finally products that did MS Mail and Lotus Notes \
exchange with anything to anything (the later technology eventually made it's way \
into the first versions of MS Exchange Server).&nbsp;  </div>
<div>&nbsp;</div>
<div>Every single mail system I worked on eventually gained the capability to \
exchange some kind of scripted content and/or the ability to run a large variety of \
embedded objects. I&nbsp;once spent an lunch hour with a gentleman from IBM giving \
him&nbsp;the sketch of&nbsp;what was needed for&nbsp;the PROFS &quot;user exits&quot; \
and six months later they showed up in the product.&nbsp;The demand for the \
capability&nbsp;was so great that it resulted in&nbsp;the shortest cycle from spec to \
implementation I've ever seen IBM complete. </div>
<div>&nbsp;</div>
<div>It makes sense&nbsp;that any time you have a basic transport that is generally \
useful, people are going to want to use it to transport anything and \
everything.&nbsp; Not acknowledging this up front and engineering for it will \
eventually result in your system being replaced by something that does what the users \
want. And yes, I do believe that applies to RSS, IM, etc.... </div>
<div>&nbsp;</div>
<div>&lt;snip/&gt;</div>
<div><br>&gt; Live content, scripting and unintended consequences is nothing \
new.&nbsp;&nbsp;Lack of<br>&gt; effective sandboxing isn't either, sad to \
say.<br>&nbsp;</div> <div>Aye! If you're working in a sensitive environment you scan, \
sniff&nbsp;x-ray and maybe quarantine&nbsp;your physical mail.&nbsp;No reason you \
shouldn't expect to do the same for sensitive computer environments.&nbsp;<br><br>-- \
<br>Peter Hunsberger <br>&nbsp;</div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic