Email Clients and digital signatures

Neil Williams
Sun Jul 6 10:59:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Sunday 06 Jul 2003 5:22 am, CL Gilbert wrote:
> Well I have been away from the scripting for a while so I will say that
> what you say makes no sense if that is true.

Your ignorance of the risk is threatening sites that I rely on. Do somethin=
about it.

> I know Java could Never do anything like that, even though the program
> can run automatically when you visit a web page or download an email.
> Same with javascript.  It just does not have access to these things.

Java does have a good sandbox, that's why I recommend OpenOffice later to=20
replace MSOrifice. Javascript does have some problems on Windows platforms=
but the security implications are not massive. Javascript is nothing to do=
with Java.

I was talking of ActiveX/VBScript not Javascript. ActiveX can access your=20
system registry directly, no express permission is required by default=20
although nearly all the mechanisms can be locked down if the admin is VERY=
security minded and oblivious to user complaints. Internet Explorer runs=20
VBScript or ActiveX within the Explorer environment, i.e. your desktop!

> and we are all the way to XP and windows is doing something stupid as tha=

Hate to disappoint you but many business users are not at XP (nor ever will=
MS keep up their licencing fiasco). Many still run Win95, some have updated=
to Win98 but that's your lot. I have no direct experience of XP but the=20
principle and the vulnerability still exist in XP. (See the Windows Securit=
sites for more info, XP is still getting security alerts for HTML rendering=

> also the default action is NOT to allow arbitrary code to execute.  It
> depends on the certificate of the code or website.

Not true. A site does not need a certificate to execute ActiveX elements. N=
does it need to be on a website - as the quote showed, it is easier to=20
execute from an HTML email where certificates have no impact.

> If this is so, why do I still get malicious emails that require me to
> run a program.  why dont I get sent ones that just run automaticaly??

You probably have. If it runs automatically, why would you ever know that i=
did run? I hate to repeat myself, so here's the answer:

=46rom my email:
OT Off-topic Was:Email Clients and digital signatures
Today 12:30:42 am
It really is that easy - the reason [low-level formatting of your C: drive]=
isn't happening all the time is that the potential perpetrators have lost=20
interest in trashing individual systems. That's left to those who have a=20
personal reason for targeted revenge (usually targeted at the backup server=
The interest is in distributed attacks - keeping your machine running their=
nice Trojan. You keep going, oblivious to the chaos your infected machine i=
creating across the rest of the network.=20
(A DDoS, distributed denial of service).=20

So what is the point of alerting you that your lovely machine is running a=
cutesy little Trojan??? The whole point of the Trojan method is that the=20
trojan runs when the intruder wants it to run, does what the intruder wants=
it to do and is completely invisible to all interventions from the user.=20
There is often no need for the Trojan to reveal itself - it's more of a col=
war mole. If your system is set to display HTML email unaltered, there is n=
reliable method of assuring that you have a clean system. Trojans can hide=
from anti-virus routines by using the same techniques as the 'Tracker'=20
programs employed by companies to pretend to stop laptop theft. (Tip: use=20
Linux to format your entire hard drive and your trojan (or indeed Tracker) =
no more. Windows format won't.)

A DDoS can bring down any site on the internet if it is allowed to get big=
enough. The sights are set higher now too, the targets become whole subnets=
or large company sites with multiple sub-domains. Unless people stop=20
believing the kinds of things you have been quoting at me, the situation ca=
only get worse.

It really is stupidly easy to protect yourself AND OTHERS from your own=20
There are tips available to bolster Windows poor security, including on my =

If you must use HTML email - or just allow it to be read as HTML - you are=
being irresponsible NOT to prevent it from affecting others when the soluti=
has been staring you in the face since Win98 was released. You still won't =
protected from Word macros (uninstall MSOffice and use OpenOffice to do tha=
but it would be something.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)