OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Microsoft Word documents that "phone" home
From: Terje Bless (linkTSS.NO)
Date: Fri Sep 01 2000 - 18:23:13 CDT


Microsoft Security Response Center wrote:

> - It pays scant attention to the fact that customers already have
> the tool to control cookies in their hands, namely, IE. Customers
> who have used the Security Zones setting in IE to restrict how
> cookies are handled are automatically protected against all cookies,
> regardless of whether the web session was initiated by web surfing or
> by a web-enabled application.

Just to be completely clear on this issue. These are the same customers
you are refering to whome Microsoft thought would need MS Bob and the
Talking Paperclip? One thing is to give them enough rope to hang
themselves, but a boobietrapped thermonuclear weapon running on a
rand(time) countdown? Is that really wise?

I don't see that the cookie issue really relevant. What should be
adressed is what kind of defaults, warnings, and disclosure, is
practiced. Whether it's cookies, active content, or a big red button
labelled "Press Me", I want the safety catch to be on by default and I
want a warning before it goes boom! It might be worth noting that
Claymore mines are marked "this side towards enemy" on the side that
should be, uhm, towards the enemy.

> - It spins dire scenarios of people being "tracked", without
> acknowledging just how difficult it would be to actually correlate
> information like an IP address to a person's identity.

It is? Really? I'd warn off Doubleclick.net before they "waste" any more
money then. Tracking people through cookies and other kinds of web bugs
isn't really hard from a techincal POV. It gets a little muddier in a
practical perspective, but here it boils down to "how bad do you want
it". We know many organizations that want it really really bad... MS
being one of them, BTW!

This shouldn't be blown all out of proportion, but it shouldn't be
downplayed either. Permissive defaults are a problem, and unless
attention to privacy is a primary concern, these things will keep
popping up.

> - It suggests that this is a purely Microsoft issue, when in fact it
> applies to all web-enabled applications. There are thousands of
> them, and they run on all operating systems.

You are a victim of your own success. MS Office products have a market
penetration that makes every little niggling glitch a mjor issue; not to
mention a target for anyone looking for those glitches (regardless of
whether the intent is benign or maliscious). Your own marketing
material, BTW, suggests that "web enabled" spreadsheets are a "purely
Microsoft issue"; though, of course, the marketing material uses phrases
like "feature" and "innovation". :-)

While it would be inaccurate to paint this as a purely Microsft problem
in the /general/ case, it's beyond question that it's a Microsoft issue
in the /specific/ case, and I don't feel you've adressed _that_ just
yet.