W3C home > Mailing lists > Public > www-tag@w3.org > October 2006

Re: [metadataInURI-31] New draft of metadata in URI finding includes section on malicious metadata

From: <noah_mendelsohn@us.ibm.com>
Date: Mon, 2 Oct 2006 14:49:41 -0400
To: "Mark Baker" <distobj@acm.org>
Cc: "Booth, David (HP Software - Boston)" <dbooth@hp.com>, mbaker@gmail.com, www-tag@w3.org
Message-ID: <OF11FFBCCB.060A0922-ON852571FB.0066B340-852571FB.00676E96@lotus.com>

Mark Baker writes:

> Moreover, it seems to me that as described, it's the user agent's 
> fault for executing an (unsandboxed) executable without user prompting.

Yes, sort of.  First of all, the finding tries to make clear that the most 
serious fault lies with the jokers who served up the virus in the first 
place. 

Secondly, I did try to skirt the question of whether "Bob" had been warned 
but ignored the warning (many naive users don't know what to do when 
confronted with a warning like this, or remember that the last time they 
got this it was when they were installing software and their expert friend 
said to go ahead.)  So, clearly there is some responsibility resting with 
the user, but we've built a system in which novices browsing pictures on 
the web can trash their machines merely by pressing the wrong button on a 
warning prompt. 

> All browsers, AFAIK, warn the user in this case and provide a 
> "Cancel/Run"-style dialog.

Yes, and the finding points that out.  Still, that's not inherent in Web 
architecture.

I did agonize some over looking for completely different examples in which 
the browser might not warn, but I couldn't come up with a good one.  My 
guess is that plenty of novices get the .exe warning and either accidently 
or through lack of expertise go ahead and run it.  I'm fairly sure that 
there are browsers that are set to quietly install certain sorts of 
plugins or controls, for example.

Anyway, I take the implied (mild) criticism that the example would have 
been more compelling if browsers didn't warn, but on balance this was the 
best exposition I could come up with.

> P.S. s/because has heard/because he has heard/

Ugh, thanks.  That's the 2nd typo I've caught today.  Proofread it all 3 
times before shipping, and missed them both.  Much appreciated, thank you.

Noah

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------








"Mark Baker" <distobj@acm.org>
Sent by: mbaker@gmail.com
10/02/2006 12:24 PM
 
        To:     "Booth, David (HP Software - Boston)" <dbooth@hp.com>
        cc:     noah_mendelsohn@us.ibm.com, www-tag@w3.org
        Subject:        Re: [metadataInURI-31] New draft of metadata in 
URI finding includes section on malicious metadata


Moreover, it seems to me that as described, it's the user agent's
fault for executing an (unsandboxed) executable without user
prompting.  All browsers, AFAIK, warn the user in this case and
provide a "Cancel/Run"-style dialog.

P.S. s/because has heard/because he has heard/

Mark.

On 10/2/06, Booth, David (HP Software - Boston) <dbooth@hp.com> wrote:
>
> Noah,
>
> Excellent addition (malicious metadata).  I don't want to delay
> publication, but there is one little phrasing that worries me.  Section
> 2.8 says:
>
>         "Thus, the primary fault in this scenario rests with the web
>         site administrators who served an executable that was intended
>         to damage Bob's machine".
>
> But section 3 says:
>
>         "In other cases, users are responsible for the consequences
>         of any incorrect inferences."
>
> I would not want someone to use that last sentence as justification for
> something misleading.  As it stands, it's a bit of a mixed message.  How
> about rephrasing that sentence, perhaps like:
>
>         "In other cases, users should be aware that their inferences
>         may be incorrect and the effect could be malicious."
>
> David Booth, Ph.D.
> HP Software
> dbooth@hp.com
> Phone: +1 617 629 8881
>
>
> > -----Original Message-----
> > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]
> > On Behalf Of Rice, Ed (ProCurve)
> > Sent: Sunday, October 01, 2006 11:26 PM
> > To: noah_mendelsohn@us.ibm.com; www-tag@w3.org
> > Cc: Williams, Stuart (HP Labs, Bristol)
> > Subject: RE: [metadataInURI-31] New draft of metadata in URI
> > finding includes section on malicious metadata
> >
> >
> > Hi Noah,
> >
> > I reviewed the document and am happy with the explanation.  Thanks for
> > adding that section.
> >
> > I'd say its good to publish :)
> > _Ed
> >
> >
> > -----Original Message-----
> > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> > Of noah_mendelsohn@us.ibm.com
> > Sent: Sunday, October 01, 2006 8:49 AM
> > To: www-tag@w3.org
> > Cc: Williams, Stuart (HP Labs, Bristol)
> > Subject: [metadataInURI-31] New draft of metadata in URI finding
> > includes section on malicious metadata
> >
> >
> > I am pleased to announce the availability of a new draft of
> > the finding:
> >
> > "The use of Metadata in URIs" [1,2,3,].  The principle change is the
> > addition of a section [4] on malicious metadata, using an example of a
> > site serving a URI ending in ".jpeg" with a representation that is a
> > malicious executable.  There are a few other changes, primarily as
> > promised in response to comments made by Stuart Williams and David
> > Booth.
> > [5].  While it would probably be prudent for at least one other TAG
> > member to do an end-to-end check before we publish, I think most
> > reviewers will do fine if they focus on the new section at [4], and
> > perhaps quickly review my response to Stuart at [5].
> >
> > Although comments on TAG findings are always welcome, I
> > should point out
> > that the TAG has as early as June signaled its intention to
> > publish this
> > one, albeit now with the new section if it meets with
> > approval.  Clearly
> > review of of the recent changes is in order before we publish,  but
> > there is a good chance that comments on other aspects of the finding
> > will be queued for consideration should we later wish to
> > republish.  In
> > short, I think it's about time to ship this.
> >
> > Thank you!
> >
> > Noah
> >
> > [1] http://www.w3.org/2001/tag/doc/metaDataInURI-31
> > [2] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html
> > [3] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.xml
> > [4]
> > http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html#
> > malicious
> > [5] http://lists.w3.org/Archives/Public/www-tag/2006Sep/0110.html
> >
> > --------------------------------------
> > Noah Mendelsohn
> > IBM Corporation
> > One Rogers Street
> > Cambridge, MA 02142
> > 1-617-693-4036
> > --------------------------------------
> >
> >
> >
> >
> >
> >
> >
>
>
Received on Monday, 2 October 2006 18:49:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT