From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, MIME_QP_LONG_LINE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 15441 invoked from network); 1 Aug 2023 10:59:02 -0000 Received: from minnie.tuhs.org (2600:3c01:e000:146::1) by inbox.vuxu.org with ESMTPUTF8; 1 Aug 2023 10:59:02 -0000 Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id 380FB40FC8; Tue, 1 Aug 2023 20:58:58 +1000 (AEST) Received: from cesium.clock.org (cesium.clock.org [157.22.10.65]) by minnie.tuhs.org (Postfix) with ESMTPS id E7C0140FBC for ; Tue, 1 Aug 2023 20:58:46 +1000 (AEST) Received: from cesium.clock.org (localhost [127.0.0.1]) by cesium.clock.org (Postfix) with ESMTP id 0D103CBC76; Tue, 1 Aug 2023 03:58:44 -0700 (PDT) From: "Erik E. Fair" In-reply-to: References: <8246.1690761540@cesium.clock.org> To: Marc Donner Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 Date: Tue, 01 Aug 2023 03:58:44 -0700 Message-ID: <29602.1690887524@cesium.clock.org> Message-ID-Hash: L3HZEOOTDFJIWE472HM7PQZTVA4KZDGM X-Message-ID-Hash: L3HZEOOTDFJIWE472HM7PQZTVA4KZDGM X-MailFrom: fair-tuhs@netbsd.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tuhs@tuhs.org X-Mailman-Version: 3.3.6b1 Precedence: list Subject: [TUHS] Re: Cool talk on Unix and Sendmail history, by Eric Allman List-Id: The Unix Heritage Society mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Date: Tue, 1 Aug 2023 05:22:17 -0400 From: Marc Donner Nathaniel (Mr Mime) Borenstein came up with something (atomicmail?) that was intended to be more functional than raw text but safer than free execution of unknown code. I disremember the details. I don't think it ever got traction. You remember correctly. It got stomped by those of us in the IETF MIME working = group with approximately the same forceful negative reaction as you've seen = here to Mike Lesk's idea of instantly executed Unix commands in e-mail. I'm hardly innocent of this - while writing & operating the AppleLink/Internet = e-mail gateway at Apple in the 1990s, I discovered that I could download the = entire user directory from AppleLink (over 50k users: all Apple employees, = Apple 3rd-party developers, Apple retail dealers - the whole "Apple Federation" = at that time was on AppleLink), which included both usernames and "full name" = fields, which could provide the basis for an AppleLink directory lookup service = on the Internet. I figured it'd be easy to use FINGER & WHOIS as the protocol = ports since the outputs of those are basically unstructured (unspecified) = ASCII text, e.g. "finger fair@applelink.apple.com" would return a list of all = usernames and full names matching "fair". I was writing in Perl because e-mail gatewaying is primarily about string = handling, and it sucks to write in C for that. The best performing way to = implement the text search was to use its eval() function with a regex = constructed from the network protocol input. I tested it, and it worked great, = but I bet you can guess where this is going - how to perfectly sanitize the = search term inputs taken directly from the net so they don't become arbitrary = Perl code? I never deployed it, partly because I couldn't convince myself I'd made the = service completely secure, and partly as a privacy matter: finger (especially = after the 1989 Morris Worm & the increasing amounts of e-mail spam) was not = a service that sites were offering any longer because there were too many bad = actors on the Internet, and it just wasn't a good idea to be as open & trusting = as the ARPANET had been. I lament the passing of that culture from time to time. I think anyone with a modicum of experience in computer & systems security = can instantly recognize the dangers in executable code transmitted unsolicited = to unwary recipients and automatically executed without prior, explicit = permission, and works to stop anything along those lines from becoming standard = practice because, despite all the protestations that "it's run in a sandbox, = it's safe!", the proponents can never prove their case beyond reasonable doubt. How many bugs were discovered in the "restricted shell" (rsh) over the years? Sometimes we fail to prevent such bad ideas from being implemented: JavaScript = in HTML/HTTP is one such. What concerns me these days is how often JavaScript = is showing up in text/html e-mail. At least visiting a website (URL) with a = web browser is, to some degree, an act of volition. Particularly with MIME, = Internet e-mail has to be parsed and presented (and which HTML parsers these = days do not also include a JavaScript interpreter?), not merely spewed to a = presumed-ASCII (OK, UTF-8) terminal. Even simple spew could be dangerous: who = remembers "intelligent terminal" transmit-back codes and the mischief those = caused? IIRC, the question we posed to Nathaniel was: "do we really want to enable = letter bombs?" Some of us also remembered (and possibly referenced) the UNAbomber. Erik