Great Circle Associates List-Managers
(July 2002)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: The role of the mailing list
From: Nick Simicich <njs @ scifi . squawk . com>
Date: Mon, 08 Jul 2002 13:03:10 -0400
To: Chuq Von Rospach <chuqui @ plaidworks . com>, <list-managers @ greatcircle . com>
In-reply-to: <B94E8606 . 46D0B%chuqui @ plaidworks . com>
References: <30450 . 1026107178 @ kanga . nu>

At 11:57 PM 2002-07-07 -0700, Chuq Von Rospach wrote:
Nick made a number of comments I mostly don't agree with (HTML is not a
programming language. It's a markup language. His statement, if true, also
makes the statement "wordstar is really a compiler" also true, which it's

No, it is an interpreter. Difference -- a programming language does not always imply a compiler. Wordstar, and Microsoft Word, and the html viewers you use are all interpreters, as much as Javascript is interpreted. All of these things have "intended actions" and (likely) "unintended actions", situations where you can feed them invalid input and get them to do unexpected (by the original coder) things. (As opposed to the typical Word Macro Virus issue, where the virus is actually written in the macro language and uses the ordinary language facilities). The number of unintended actions is likely correlated to the general care used by the coder, the language used, the standards and procedures used, and so forth.

This goes back to the "Use a viewer rather than Microsoft word to look at your documents." It may work by limiting intended actions, as the viewer may be missing the macro language that is bundled into full word, but it may not limit unintended consequences --- the document may well have overflows that translate into arbitrary code execution.

 HTML has had stuff tossed onto it, whether it's javascript or java
applets or activex or whatever, and those things ARE active code pieces --
but they are NOT HTMl. Pure HTML is benign. It can be used to bring in
non-benign pieces, but that doesn't mean HTML is non-benign, and that's
where you get the ability to protect the user from those non-benign
pieces...) -- and other than the previous, I'll disagree without comment
because most of the disagrements are philosophical.

Perhaps, and perhaps things are just definitions. I will agree with you that the intention of pure HTML (that is, HTML without intended scripting) is to be a benign markup language. How well it succeeds at that is relative to how well the interpreter is written.

But he also said something on the order of "stop protecting against viruses,
too" -- and in many ways, he's correct. We CAN, actually, simply go to a
caveat emptor approach.

That was a sarcastic strawman.

Nick is running up the strawman that if we can't do everything, all the
time, then don't do anything. That obviously fails, but it's a wonderful

I agree that it obviously fails. The point is to do as well as we can. This leads to my point in the final paragraph...

My counter-argument is that we have a responsibility to do what we can
safely and reasonably, help users understand the risks where we can't
provide that safe harbor, but at the same time, we have to be very careful
about what things we choose to put into our purview of responsibility.

Protecting end-users form viruses is a no-brainer. We can do it for the most
part pretty well. Viruses serve no useful or constructive purpose. Even if
Joe sixpack doesn't care if he gets infected, we do, because his infection
impacts other users elsewhere (and from the public health real world
analogy, there's a precedent of isolation and forced innoculation even
against the wishes of the user we can adopt).

But when you start talking about HTML and web bug issues, it gets a lot less
clearcut. YOU may feel strongly about privacy issues, but does running a
mail list give you the right to force your privacy views on your users?

My definition of my mailing lists is that I am not simply a xerox machine. I decide what to forward to my users and what not to. You have already agreed that my approach is a good idea, the question is, where do you stop? There are probably users who disagree with removing viruses from the mailing lists --- but I don't care that much.

For example, I noted in a separate message that I remove some headers from e-mail, and not only errors-to. I also remove all headers that generate those "The user has requested notification that you read their message," or "the originating user has flagged this message as important." I add footers. I automatically filter for other content and edit it.

Let's put it a different way: Supposing you do remove web bugs and scripting. Will any of your users notice? Will any care?

viruses, there's a clear "protection of the commons" need here. You can't
have someone with mumps running around the pregnant women. But that is far
from clear on privacy. If the user doesn't care about web bugs, what gives
you the right to force your view of that on them? Where does that privacy
issue become one of the commons, where failing to protect users causes
damage to that commons?

If you consider your lists to be a commons, that also means that you recognize the right of people to post handbills there. I don't. But the precedence is that, (even if you consider yourself a common carrier) is that common carriers have generally protected the privacy of their users until and unless the users have asked that their privacy be discarded.

I just don't believe it's there. I do believe list admins can evangelize
their views, but where virus fighting is an attempt to mitigate damage
caused ot the commons we all use, this privacy stuff is instead an attempt
to force a personal agenda on the users of the list, where you effectively
are telling the users what they have to believe -- and that coercion doesn't
come with any justification of common need like the virus hacks do.

Sure it does: The protection of their e-mail addresses from exposure to harvesters. And the protection of their privacy.

For example, someone could sign up to one of my lists with their real e-mail address, and never post. Their e-mail address is not available to the public. I no longer, for example, allow "who" or "which" commands by non-admins (at the user's request initially, I had not thought of it at that point, this was some time ago). But if I allow the transmission of web bugs, or HTML scripting in the archives that opens them to cross site scripting vulnerabilities, their addresses and privacy are not protected.

So in one case you're taking action for common good and protecting users who
may be incapable of that action themselves. But in another, it's effectively
saying "you have to do it my way", but without the damage to the commons
that comes from inaction. One is the health department locking up people
with active TB so others don't get it. The other is Greenpeace blockading an
Esso station because they feel you shouldn't be buying gas there.

It is more like, "The phone company insisting that they will not install a pen register on your line unless presented with a warrant." You know? Probably 80-90% of the people would not care if the government could get a pen register without a license.

Do you, as list admin, have the right to act as greenpeace? I don't believe

I don't think your analogy is at all correct. You might think it is, but that is because your world view is warped from too much use of apple computers. :-)

My other point is that you have to do it anyway to make the archives safe for viewing. You might as well make the archives representative of the actual content distributed on the list.

"Forgive him, for he believes that the customs of his tribe are the laws of nature!"
 -- George Bernard Shaw (1856-1950)
Nick Simicich - njs @
scifi .
squawk .

Indexed By Date Previous: Re: identifying list mail by any appearance in the headers
From: "Roger B.A. Klorese" <rogerk @ queernet . org>
Next: Re: Please prune this list!
From: Nick Simicich <njs @ scifi . squawk . com>
Indexed By Thread Previous: Re: list removal
From: Kirk Bailey <idiot1 @ netzero . net>
Next: Re: The role of the mailing list
From: J C Lawrence <claw @ kanga . nu>

Search Internet Search