GNOME.org
 

RE: Document Centricity in GNOME [LONG]

I do not agree with the method, however I do agree that something must be
done to avoid such problems.

The problem is that code is included with documents, and runs automatically.
You cannot expect every single piece of software to make the difference
between running the code and not running it. IMHO the best solution is to
dissociate at file level the code from the document. It will allow documents
to be sent with their code attached as a separate document. Mail software
will be able to filter the document from its code, and forbids any script or
code to go through, providing users the possibility to view the document
without the danger of running unknown code.

I'm looking for an mail add-on to postfix that will filter attachments from
mails to my system. I want to have a list of authorised attachments that can
be received. For obvious reasons word documents and excel spreadsheets
should be forbidden, html also because of embeded scripts... While jpeg,
tiff, bmp, pdf documents will be authorised. I think the whole process will
be at mime level where certain mime types will be declared dangerous and
some others not.

Let me know what you think of this approach....

Franck Martin
Network and Database Development Officer
SOPAC South Pacific Applied Geoscience Commission
Fiji
E-mail: franck@sopac.org.fj <mailto:franck@sopac.org.fj> 
Web site: www.sopac.org.fj <http://www.sopac.org.fj> 

		-----Original Message-----
		From:	Moshe Zadka [mailto:moshez@math.huji.ac.il]
		Sent:	Wednesday, May 10, 2000 3:53 AM
		To:	gnome-devel-list@gnome.org; gnome-gui-list@gnome.org
		Subject:	Document Centricity in GNOME [LONG]


		First of all, let me apologize for cross-posting: I'm not
really sure
		where this belongs. Please direct followups to the
appropriate list.

		Next, I'm not subscribed to either of the lists, so please
keep me in the
		CC:.

		I've wrote a brain-dump on how GNOME can stay
document-centric, while not
		falling prey to ILOVEYOU-type bugs.

		              How to Stop ILOVEYOU While Staying Document
Centric
		                                       
		   Document-centricity is a good thing. It allows users to
be more
		   productive, because it reduces the cognitive load - a
user needn't be
		   aware of which application opens the file, and can
concentrate on his
		   work. However, as seen in the ILOVEYOU virus,
document-centricity can
		   be a dangerous thing too. Because the user is unaware of
which
		   application opens the document, and because the
application is unaware
		   of the document (possibly) dangerous origins, a situation
in which it
		   executes malicious code might occur. The way to stop this
problem is:
		   Do not use file-association -- make the user aware which
application
		   is used. The user should consult with the application
documentation to
		   check whether it is safe to open documents of unknown
origins with it.
		   
		   Of course, the solution is much less user-friendly then
the
		   alternative. Here is a different way to solve it, while
remaining
		   document-centric, with a low (but nevertheless existant)
price for
		   usability, but with much increased security.
		   
		   In addition to the file-association for the "Open"
action, have a
		   file-association for the "Open Safely" action. For many
programs, it
		   can be the association for both (Electric Eyes, MP3
players, etc.).
		   For other types, there will be no "Open Safely" (Perl
scripts,
		   executables). A third category will be those with a
different "Open
		   Safely" action (Tcl's Safe Tcl, Java's sandbox, etc.).
When an
		   application installs (for example, via an RPM file), it
should install
		   itself to the "Open" and "Open Safely" as appropriate. Of
course, it
		   could consult a security setting to see if it should be
installed in
		   "Open Safely" (e.g., Safe Tcl might be all right if the
security is
		   low - high security sites may doubt if Safe Tcl really is
safe). A
		   system administer can change association system-wide, and
a user can
		   further override associations, just like other
associations.
		   
		   Thus, the user is in control, but he is given a sensible
default so
		   the naive user will find it slightly harder to shoot
himself in the
		   foot.

		--
		Moshe Zadka <moshez@math.huji.ac.il>
		http://www.oreilly.com/news/prescod_0300.html
		http://www.linux.org.il -- we put the penguin in .com


		_______________________________________________
		gnome-devel-list mailing list
		gnome-devel-list@gnome.org
		http://mail.gnome.org/mailman/listinfo/gnome-devel-list
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]