From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_0390_01C59B5A.8D649BB0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   Your key fragment below is "whoever was saying it wasn't possible".  =
No body was saying this.  It's a programming language.  By design you = can
write programs.  You don't gain credibility by making bogus claims = then
arguing against them.

   Your ActiveX remarks are irrelevant.  I'm responding to them only =
because you have demonstrated a significant misunderstanding.  Signing =
has nothing to do with safe for scripting.  Signing provides a trust =
model only.  Nothing more.  It allows your computer to verify the =
publisher and confirm that there has been no tampering.  It provides a =
basis for you the user to make a decision based on whether you trust the =
publisher.  This was a significant benefit over the netscape pluging =
model which has no provisions for trust.  It is the same trust model = that
sun adopted for java.

Rich

  "Geo"  wrote in message
news:42f65cc8$1{at}w3.nls.net...
  "John Beckett" 
wrote in message
  news:uo6bf1h7u1utrt3okd9dgn3qtvc361h9h1{at}4ax.com...

  > It is obvious that any decent scripting or programming language can
  > produce a program that can do malicious things. It is pretty trivial =
to
  > write a script that finds other scripts and changes their contents.

  I'm not a virus writer so I don't know what the concept these proof of
  concept virus were supposed to prove  but obviously they have proved =
it so
  whoever was saying it wasn't possible so it doesn't need to be secured =
or
  there doesn't need to be concern about an insecurity here is now =
proven
  wrong?

  Remember the activeX argument that said it requires signing so it's =
safe?
  How many "safe for scripting" activex controls have proven to not be =
safe
  now? 10, 12?

  This is really no different, someone must have been arguing that it =
wasn't
  possible to do whatever they are doing in the poc code, that's the =
whole
  reason for poc code, to prove that it is possible. To me that says =
that
  someone in the monad project has been once again giving features =
priority
  over security which seems pretty typical for everyone at MS except =
maybe for
  the DNS group.

  Geo.


------=_NextPart_000_0390_01C59B5A.8D649BB0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   Your key
fragment below is =
"whoever=20
was saying it wasn't possible".  No body was saying
this.  = It's a=20
programming language.  By design you can write programs. 
You = don't=20
gain credibility by making bogus claims then arguing against =
them.
 
   Your
ActiveX remarks are=20
irrelevant.  I'm responding to them only because you have =
demonstrated a=20
significant misunderstanding.  Signing has nothing to do with safe = for=20
scripting.  Signing provides a trust model only.  Nothing
= more. =20
It allows your computer to verify the publisher and confirm that there = has been=20
no tampering.  It provides a basis for you the user to make a = decision=20
based on whether you trust the publisher.  This was a significant
= benefit=20
over the netscape pluging model which has no provisions for
trust.  = It is=20
the same trust model that sun adopted for java.
 
Rich
 

  "Geo" <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote=20
  in message news:42f65cc8$1{at}w3.nls.net..."John=20
  Beckett" <FirstnameSurname{at}com=">mailto:FirstnameSurname{at}compuserve.com.omit">FirstnameSurname{at}com=
puserve.com.omit>=20
  wrote in messagenews:uo6bf1h7u1u=
trt3okd9dgn3qtvc361h9h1{at}4ax.com...>=20
  It is obvious that any decent scripting or programming language =
can>=20
  produce a program that can do malicious things. It is pretty trivial=20
  to> write a script that finds other scripts and changes their=20
  contents.I'm not a virus writer so I don't know what the =
concept these=20
  proof ofconcept virus were supposed to prove  but obviously =
they have=20
  proved it sowhoever was saying it wasn't possible so it doesn't =
need to be=20
  secured orthere doesn't need to be concern about an insecurity =
here is now=20
  provenwrong?Remember the activeX argument
that said it =
requires=20
  signing so it's safe?How many "safe for scripting" activex =
controls have=20
  proven to not be safenow? 10, 12?This is really no =
different,=20
  someone must have been arguing that it wasn'tpossible to do =
whatever they=20
  are doing in the poc code, that's the wholereason for poc code, to =
prove=20
  that it is possible. To me that says thatsomeone in the monad =
project has=20
  been once again giving features priorityover security which seems =
pretty=20
  typical for everyone at MS except maybe forthe DNS=20
 
group.Geo.

------=_NextPart_000_0390_01C59B5A.8D649BB0--

--- BBBS/NT v4.01 Flag-5