[14418] in cryptography@c2.net mail archive
Re: Reliance on Microsoft called risk to U.S. security
daemon@ATHENA.MIT.EDU (lists@notatla.org.uk)
Thu Oct 2 11:25:38 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: bear@sonic.net, cryptography@metzdowd.com
Date: Thu, 2 Oct 2003 08:58:41 +0100 (BST)
From: lists@notatla.org.uk
From: bear <bear@sonic.net>
> Heh. You looked at my mail headers, didn't you? Yes, I use pine -
> primarily *because* of that property. It treats all incoming messages
> as text rather than live code.
BUGTRAQ in the last 3 years lists over 80 mails on pine - including
reference to this recently:
http://www.idefense.com/advisory/09.10.03.txt
which also appears in candidates on cve.mitre.org.
(Mitre seem to take unreasonable time in converting candidates to
definite problems unless I'm misunderstanding their website.)
> [HTML mail] can cause your machine, specifically, to make network
> connections to get graphics, style sheets, etc, and will not display
That could include web bugs for spammers. I agree it's ridiculous to
read mail in a browser but a conventional MUA has risks too.
I write all mail to disk and view it with my favourite text editor.
This is convenient with practice. Now I only want MUAs for sending
mail (it's worth it to get the correct references in my reply headers).
I use this script on one of my accounts where I accept HTML mail
(reluctantly from a hotmail user).
http://www.notatla.org.uk/SOFTWARE/text_lover_mail_filter.plx
The HTML conversion is done by lynx (confined by SubDomain).
This practice can result in running "mimencode -u" and "metamail -w"
on a few things. It's not that common for a non-text message to get
past my procmail rules and have me choose to read it.
This is all pretty simple but certainly not mass-market. I must order a
"told you so" rubber stamp for when my monocultural acquaintances get hacked.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
