From mboxrd@z Thu Jan 1 00:00:00 1970 From: jnc@mercury.lcs.mit.edu (Noel Chiappa) Date: Sun, 12 Mar 2017 16:04:36 -0400 (EDT) Subject: [TUHS] attachments: MIME and uuencode Message-ID: <20170312200436.947D318C099@mercury.lcs.mit.edu> > From: Doug McIlroy > Allowing more or less arbitrary attachments was a real convenience. But > allowing such stuff to serve as the message proper was dubious at > best. Sorry, I'm not sure I'm completely clear what you mean there? Do you mean 'non-ASCII-text objects were processed by the mail system without being told to do so explicitly, by the user'? That, combined with the below, is indeed a problem. > it also posed a security threat. The problem isn't really so much the ability to have attachments, as that people defined attachment types with open-ended capabilities, up to and including what I call 'active content' - i.e. content which includes code which is to be run. (Yes, yes, I know - even without that, it's possible to feed 'dumb' applications bad data, and do an intrusion; I seem to recall there was one of those with JPEG's, so even plain images were not perfectly safe. And someone just provided an example of an with plain ASCII. But those holes are much harder to find/use, whereas active content is a security hole the size of a trans-Atlantic liner.) Without an _incredibly_ secure OS (something on the order of late-stage Multics, when the security had been beefed up even over the original design [the jargon to search for is 'AIM', if you're interested], or better), bringing in 'active content' from _outside_ the system, and running it, is daylight madness - it's an invitation to disaster. This is true no matter _how_ such content comes in: via HTTP, with a Web browser; via SMTP, with e-mail, whatever. Dave Moon coined a phrase, based on an old anti-drug movie: 'TECO madness: A moment of convenience, a lifetime of regret.' These active contents all, to me, fall into that category. They _seem_ like a good idea, and provide interesting capabilities - until some cracker uses one to wipe your hard drive. > With active text such as HTML, it is all too easy to mistakenly brush > over a phishing link. HTML email is another of my pet peeves/hot buttons - it's just another vector for active conent. So, for the 'convenience' of being able to send email in multiple fonts ('eye candy', I derisively call it), we get to let malefactors send in viruses that can wipe a hard drive. To me, this kind of thing is professional malpractice, on a par with building cars that catch on fire, or buildings that collapse. People need to suffer incredibly severe penalties for propogating this kind of nonsense; maybe then software engineers will stop valuing convenience over regret. Noel