[2648] in WWW Security List Archive
Re[2]: ActiveX security hole reported.
daemon@ATHENA.MIT.EDU (Tim Feeney)
Fri Aug 16 12:55:18 1996
Date: Fri, 16 Aug 1996 10:48:30 -0400
From: feeney@messaging.tfn.com (Tim Feeney)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>Sean Robert Wilkins Wrote:
>Now i should start and say i am surely not saying there are no security
>problems here, BUT actually a person who is running around the web with
>software of this type should know at least the basic security around the
>dialogs. Now not that everyone knows everything, but a basic level should
>be known, this is why MS's messages are so descriptive to Netscapes, to
>compare.
>> While I agree that people should know the basics about security and
>> their machine, to expect it, as some vendors products seem to indicate,
>> is ludicrous. I have been to many a software store looking around and
>> have heard people talk to the sales person about their "pc", and have no
>> clue as to what it is, never mind the security aspects of running IE.
>> This point can be further boosted if you talk to some support reps. I
>> believe that Microsoft, Sun, Netscape, et. al. must be held more
>> accountable for the security aspects of their product. Not doing so
>> would be akin to saying the car manufacturers could have a button to
>> start a car {easier than turning a key}. The consumer should know that
>> they should disable it so "we", the vendor, will not worry about it.
>> One must remember that there are people still out there that will give
>> out their credit card numbers over the phone to people they don't know.
>And actually there are some places to get your code signed for a
>reasonable rate, about the same rate as it is to have say ASP verify a
>shareware program. These companys are in the Internet position of a notary.
>Actually i had a question of you are you a big fan of Java? or its
>scripting. MS based or SUN?? There is always going to be a back door
>somewhere.. or an invisible security problem..
>Another thing about this the angry or sarcastic tone of this message
>is not appriciated or neccasary so please don't use it, This is a news group
>for debating maybe but none of that stuff...
>> This is a news group for debate and information gathering, but I can see
>> were the tones resonate from. As a systems administrator for a financial
>> company it is quite disheartening when products such as Java/ActiveX are
>> introduced. There is no security expert here, and probably won't be for
>> quite some time (or until an incident). I have a hard enough time trying
>> to convince mgmt. to invest in a backup scheme, never mind tell them that
>> they should not use the latest gadgets on the company net. Simplistic
>> holes such as this will not go away until the vendor is held responsible
>> for such shoddy work, which realistically will probably never occur. ;^(
>> Happy Surfing,
>> Tim
