[TUHS] attachments: MIME and uuencode

Noel Chiappa jnc at mercury.lcs.mit.edu
Mon Mar 13 06:04:36 AEST 2017


    > From: Doug McIlroy

    > Allowing more or less arbitrary attachments was a real convenience. But
    > allowing such stuff to serve as the message proper was dubious at
    > best.

Sorry, I'm not sure I'm completely clear what you mean there? Do you mean
'non-ASCII-text objects were processed by the mail system without being told
to do so explicitly, by the user'? That, combined with the below, is indeed a
problem.

    > it also posed a security threat.

The problem isn't really so much the ability to have attachments, as that
people defined attachment types with open-ended capabilities, up to and
including what I call 'active content' - i.e. content which includes code
which is to be run.

(Yes, yes, I know - even without that, it's possible to feed 'dumb'
applications bad data, and do an intrusion; I seem to recall there was one of
those with JPEG's, so even plain images were not perfectly safe.  And someone
just provided an example of an with plain ASCII. But those holes are much
harder to find/use, whereas active content is a security hole the size of a
trans-Atlantic liner.)

Without an _incredibly_ secure OS (something on the order of late-stage
Multics, when the security had been beefed up even over the original design
[the jargon to search for is 'AIM', if you're interested], or better),
bringing in 'active content' from _outside_ the system, and running it, is
daylight madness - it's an invitation to disaster.

This is true no matter _how_ such content comes in: via HTTP, with a Web
browser; via SMTP, with e-mail, whatever.

Dave Moon coined a phrase, based on an old anti-drug movie: 'TECO madness: A
moment of convenience, a lifetime of regret.' These active contents all, to
me, fall into that category. They _seem_ like a good idea, and provide
interesting capabilities - until some cracker uses one to wipe your hard
drive.


    > With active text such as HTML, it is all too easy to mistakenly brush
    > over a phishing link.

HTML email is another of my pet peeves/hot buttons - it's just another vector
for active conent. So, for the 'convenience' of being able to send email in
multiple fonts ('eye candy', I derisively call it), we get to let malefactors
send in viruses that can wipe a hard drive.

To me, this kind of thing is professional malpractice, on a par with building
cars that catch on fire, or buildings that collapse. People need to suffer
incredibly severe penalties for propogating this kind of nonsense; maybe then
software engineers will stop valuing convenience over regret.

       Noel


More information about the TUHS mailing list