[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

Re: Warning: Trolling for Dollars, Scammers hard at work



** Reply to message from Patricia M Godfrey  on Sat, 19 Jul
2003 13:15:50 -0400

> "a remote webpage that you are reading is not allowed to
> launch a program on your computer, period -- that would be a huge
> security hole." Sure would. But isn't that just what Javascripts and
> Active-X do? Or am I missing a vital distinction here?

First, I only raised that as an example (and there _are_ such programs as I
described, e.g. NavRoad -- but that wasn't the point of my comment). Yes,
Javascript can be used to launch executables, but only if you explicitly permit
them *each time* you launch one, i.e. there's a pop-up and you have to say
"Yes". Moreover, the JS script must be resident on your machine; and the
routine to run must be locally installed -- cannot be remote.

> That's why I'm
> leery of Java and Java programs (including PolarBar, whose site I looked
> at when Robert first recommended it a while back; ZoneAlarm reported
> three or four probes of my ports there.) I would love to be convinced I'm
> wrong.

Ach, you're wrong. The hell with ZoneAlarm (let's not confuse websites with
Email clients). PBM is 200% secure. Read the maillist! The thing is designed
ground-up to be impervious to attack of any kind. It just doesn't happen.
*Nothing* launches unless you launch it deliberately (and you'll do that with
third party progs, because PBM just doesn't launch anything period, except for
3rd-party progs configured within it by you). These guys (the designers and
users) are not schmucks from nowhere (they're senior engineers at IBM, that
sort of thing). They're doing it as a challenge, to write the perfect
cross-platform Email client, and because they believe in this method of
development (totally consultative, and freeware -- no secrets). The "talk" is
at a very high, technical level -- but the Emailer itself is really easy to
run. They _never_ release a "Security Update du jour", like all Windows
OpSyses seem to require -- in fact, they never issue security updates at all,
because it isn't an issue. I've never heard any of the maillist participants
make a security complaint, or even talk about it, except to laugh at the passé
travails of Outlook and other Email users -- believe me, they're bloody
demanding. Or don't believe me.

-----------------------------
Robert Holmgren
holmgren@xxxxxxxx
-----------------------------