RE: Re: Anybody Recognize These Uploads?

["Bill Royds" <broyds () rogers com>]

I manage and moderate a local environmental mailing list. In general the rule is text messages, so I convert HTML 
messages sent to me into text before forwarding them to the list. But occasionally a message arrives that needs to use 
HTML ( a poster for a meeting for people to distribute, with images and maps, for example). 
But I never need to send executable content in an e-mail. So there is a place for static HTML in emails, but there is 
never any need for JavaScript or inclusion of external content. 
  If there were settings "Do not fetch external files" and "Do not execute any scripts or attachments", then perhaps 
Outlook would be safer. As it is, Microsoft has all or nothing security. Never render anything, or render everything. 
Unfortunately that seems all to often to be a Microsoft approach to security. We depend on Microsoft software not 
having bugs as it determines whether things are safe. Putting all your trust in bug-free code is not the way to 
security.


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Paul D.
Robertson
Sent: Sun January 05 2003 11:19
To: Noonan, Wesley
Cc: 'Christopher Hicks'; R. DuFresne;
firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Re: Anybody Recognize These Uploads?


On Sat, 4 Jan 2003, Noonan, Wesley wrote:

> users want. As functionality is added, because customers want it, so are
> bugs and vulnerabilities. The sad thing is, if the users do find an

Let's just dispell this myth.  Features in a lot of software aren't added 
because of customer wants, they're added as marketing feature draws[1], or 
for other business reasons by vendors.  Yes, occasionally a user-requested 
feature get added, but mostly it's companies trying to push in a 
particular direction.  Lots of companies asked for a version of Word that 
wouldn't do macros once upon a time.  Lots of companies now would like a 
version of Outlook that can't render HTML.  I think I know 2 people who 
use HTML in e-mail.  I don't see a groundswell requiring it.  I know a lot 
of companies, representing hundreds of thousands of users who'd be really 
happy with a copy of Outlook that simply wasn't capable of rendering HTML 
(the client, not funky filtering between the client and the server, and 
not server-side stuff.)  While I'm dreaming, how about a copy of Exchange 
that isn't capable of auto-HTMLing mail originating on a client set to do 
plain text?  You wouldn't believe the posts I reject here because the 
original author isn't able to control the formatting of their own 
messages.

While we're in the dragging parents into it mode (Hi Cat!)- my Dad uses 
Outlook (or Outlook Express) at work, but I've gotten him to Pegasus at 
home (which happened back when there was a lot of autoexecuting preview 
pane stuff going on with Outlook Express.)  He knows how to send and 
recieve mail, and he's happy- initially he wanted Outlook Express at home, 
because he knew the interface, but he went and loaded Pegasus on his brand 
new computer last week (quite a feat, I can assure you) instead of using 
Outlook Express, because now he's familiar enough with Pegasus' interface 
that there's nothing "featureful" that's significantly different from 
Outlook Express to have him "need" Outlook Express. 

It's a mail client, there's just not that much to mail.  Tacking on stuff 
until it bloats past usability/security isn't going to help.  At some 
point, the user population will understand that it's possible to *finish* 
software.  That there's no gain to them for some change due to someone's 
idea that the market will flock to a competitor if they don't change 
something every quarter or two.

Right now, the market is being manipulated by vendors that want to boost 
quarterly earnings reports by getting people to change software 
frequently.  That's the driver, not the user, not the feature, pure and 
simple artificial economy generation.  

Personally, I can only just remember the last time a word processor added 
a feature worth upgrading for (WYSIWYG and compound documents were both 
worth-while.)  

Paul
[1] While there's some correlation between marketing features and 
customers, it's rarely customer driven in the mass-market software 
industry.  That's because a significant portion of customers would be 
perfectly happy with "don't add feature $Foo," and I'd hazard to guess in 
most cases that portion would be larger than the portion who want feature 
$Foo.  
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards