- From: <noah_mendelsohn@us.ibm.com>
- Date: Mon, 2 Oct 2006 14:49:41 -0400
- To: "Mark Baker" <distobj@acm.org>
- Cc: "Booth, David (HP Software - Boston)" <dbooth@hp.com>, mbaker@gmail.com, www-tag@w3.org
Mark Baker writes: > Moreover, it seems to me that as described, it's the user agent's > fault for executing an (unsandboxed) executable without user prompting. Yes, sort of. First of all, the finding tries to make clear that the most serious fault lies with the jokers who served up the virus in the first place. Secondly, I did try to skirt the question of whether "Bob" had been warned but ignored the warning (many naive users don't know what to do when confronted with a warning like this, or remember that the last time they got this it was when they were installing software and their expert friend said to go ahead.) So, clearly there is some responsibility resting with the user, but we've built a system in which novices browsing pictures on the web can trash their machines merely by pressing the wrong button on a warning prompt. > All browsers, AFAIK, warn the user in this case and provide a > "Cancel/Run"-style dialog. Yes, and the finding points that out. Still, that's not inherent in Web architecture. I did agonize some over looking for completely different examples in which the browser might not warn, but I couldn't come up with a good one. My guess is that plenty of novices get the .exe warning and either accidently or through lack of expertise go ahead and run it. I'm fairly sure that there are browsers that are set to quietly install certain sorts of plugins or controls, for example. Anyway, I take the implied (mild) criticism that the example would have been more compelling if browsers didn't warn, but on balance this was the best exposition I could come up with. > P.S. s/because has heard/because he has heard/ Ugh, thanks. That's the 2nd typo I've caught today. Proofread it all 3 times before shipping, and missed them both. Much appreciated, thank you. Noah -------------------------------------- Noah Mendelsohn IBM Corporation One Rogers Street Cambridge, MA 02142 1-617-693-4036 -------------------------------------- "Mark Baker" <distobj@acm.org> Sent by: mbaker@gmail.com 10/02/2006 12:24 PM To: "Booth, David (HP Software - Boston)" <dbooth@hp.com> cc: noah_mendelsohn@us.ibm.com, www-tag@w3.org Subject: Re: [metadataInURI-31] New draft of metadata in URI finding includes section on malicious metadata Moreover, it seems to me that as described, it's the user agent's fault for executing an (unsandboxed) executable without user prompting. All browsers, AFAIK, warn the user in this case and provide a "Cancel/Run"-style dialog. P.S. s/because has heard/because he has heard/ Mark. On 10/2/06, Booth, David (HP Software - Boston) <dbooth@hp.com> wrote: > > Noah, > > Excellent addition (malicious metadata). I don't want to delay > publication, but there is one little phrasing that worries me. Section > 2.8 says: > > "Thus, the primary fault in this scenario rests with the web > site administrators who served an executable that was intended > to damage Bob's machine". > > But section 3 says: > > "In other cases, users are responsible for the consequences > of any incorrect inferences." > > I would not want someone to use that last sentence as justification for > something misleading. As it stands, it's a bit of a mixed message. How > about rephrasing that sentence, perhaps like: > > "In other cases, users should be aware that their inferences > may be incorrect and the effect could be malicious." > > David Booth, Ph.D. > HP Software > dbooth@hp.com > Phone: +1 617 629 8881 > > > > -----Original Message----- > > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] > > On Behalf Of Rice, Ed (ProCurve) > > Sent: Sunday, October 01, 2006 11:26 PM > > To: noah_mendelsohn@us.ibm.com; www-tag@w3.org > > Cc: Williams, Stuart (HP Labs, Bristol) > > Subject: RE: [metadataInURI-31] New draft of metadata in URI > > finding includes section on malicious metadata > > > > > > Hi Noah, > > > > I reviewed the document and am happy with the explanation. Thanks for > > adding that section. > > > > I'd say its good to publish :) > > _Ed > > > > > > -----Original Message----- > > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf > > Of noah_mendelsohn@us.ibm.com > > Sent: Sunday, October 01, 2006 8:49 AM > > To: www-tag@w3.org > > Cc: Williams, Stuart (HP Labs, Bristol) > > Subject: [metadataInURI-31] New draft of metadata in URI finding > > includes section on malicious metadata > > > > > > I am pleased to announce the availability of a new draft of > > the finding: > > > > "The use of Metadata in URIs" [1,2,3,]. The principle change is the > > addition of a section [4] on malicious metadata, using an example of a > > site serving a URI ending in ".jpeg" with a representation that is a > > malicious executable. There are a few other changes, primarily as > > promised in response to comments made by Stuart Williams and David > > Booth. > > [5]. While it would probably be prudent for at least one other TAG > > member to do an end-to-end check before we publish, I think most > > reviewers will do fine if they focus on the new section at [4], and > > perhaps quickly review my response to Stuart at [5]. > > > > Although comments on TAG findings are always welcome, I > > should point out > > that the TAG has as early as June signaled its intention to > > publish this > > one, albeit now with the new section if it meets with > > approval. Clearly > > review of of the recent changes is in order before we publish, but > > there is a good chance that comments on other aspects of the finding > > will be queued for consideration should we later wish to > > republish. In > > short, I think it's about time to ship this. > > > > Thank you! > > > > Noah > > > > [1] http://www.w3.org/2001/tag/doc/metaDataInURI-31 > > [2] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html > > [3] http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.xml > > [4] > > http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061001.html# > > malicious > > [5] http://lists.w3.org/Archives/Public/www-tag/2006Sep/0110.html > > > > -------------------------------------- > > Noah Mendelsohn > > IBM Corporation > > One Rogers Street > > Cambridge, MA 02142 > > 1-617-693-4036 > > -------------------------------------- > > > > > > > > > > > > > > > >
Received on Monday, 2 October 2006 18:49:53 UTC