![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
flexibeasti'm very cranky at the moment. i need to rant. And yes, it's a hot button issue, and yes, i know it shouldn't be, and yes, i'm working on it.
i am frustrated by people continually making assumptions that i really don't know what i'm talking about.
i'm one of those weird people who isn't afraid to say "i don't know". In fact, i'm often disturbed by the number of things i don't know. i'm always seeking out new knowledge, across a variety of subjects. But my time and energy is limited, so sometimes i merely skim the surface of a subject so as to discover exactly what i don't know about that subject. A while back, a friend related a model of knowledge acquisition involving four stages: (1) not knowing that you don't know; (2) knowing that you don't know; (3) Knowing and not knowing that you know; (4) Knowing, and knowing it. (This article describes this process in more detail.) i feel that stage (1) is particularly dangerous, as it can lead us to adopt strong opinions and beliefs without any real support for them; hence, i like to avoid being in that stage wherever possible.
Having said that, i do actually have expertise in a few particular areas. i tend to downplay that expertise, at least partly because one characteristic of real experts is that, although they may have far more knowledge in a given subject than average, they have become aware of how much they don't know. It's like one of Murphy's Laws on Technology: "An expert is someone who knows more and more about less and less until zie knows everything about nothing."
One such area of expertise involves the field of IT. Now it's true i don't have any formal qualifications in the field: my highest qualification is a Bachelor of Arts degree, majoring in Women's Studies. But i'm an autodidact; and i have spent many years working with both the theoretical and practical aspects of computing. i got my first PC, an Amstrad PC1512, in 1986; i started using the 'net in 1994; i've been using Linux since 1997; i've professionally (re-)developed Web sites and databases. In one of the latter cases, other developers working in a different part of the same project assumed, when i said that i'd written an Access-based db app, that i'd merely strung some macros and forms together. So they were surprised to find 3000+ lines of VBA code involved - code that i'm reasonably sure wasn't too bad, since previous VBA code that i'd written, on another job, was taken over by a lecturer in VB/A programming who had positive things to say about it1. (Admittedly, it was only VBA, but still.)
Which brings me to the proximal cause of this rant, which involves network / Internet security.![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
sacred_harlot recently made a request to an e-list that she and i are both on, asking that people not send HTML emails - this Wikipedia article explains why. In the ensuing thread, implications were made that Google, via GMail, could be trusted to handle any malicious HTML (because Google knows about all security threats before they appear, and will rewrite emails accordingly! :-P ) and that any privacy and/or security threats posed by HTML emails can be trivially defeated by basic security measures such that one can view rendered HTML emails with impunity2. (The security measure i personally take is to disable HTML rendering in my mail client, the marvellous KMail - which negates the threat, but leaves emails looking like "<DIV><SPAN><FONT SIZE=2>Hello!</FONT></SPAN></DIV>".)
Now i'm left wondering what those security measures might be. How are people protecting themselves from malformed HTML causing a buffer overflow in the HTML rendering engine? Address randomisation, perhaps? How are people protecting themselves from the loading of external references? KMail allows one to switch such loading off, but not everyone has an email client with such a facility. Blocking outgoing TCP port 80 is only an option if you're happy not accessing the Web. You could route requests through a proxy like Squid, and configure it to disallow requests to certain blacklisted URLs; but that's not a trivial task for most users.
But my point here is this: i'm not a dumb bunny when it comes to network security. i have a good idea of what i'm talking about, and so when i say HTML email can be problematic - even in the context of other security measures - i have good reason for doing so. Assuming that i'm a panicky ignoramus in this regard is *cough* not appropriate. My approach is based on the reading and/or work that i do every day regarding IT security.
The thing is, i don't know how to convey that i'm not (at worst) an idiot or (at best) naïve in a given subject area without coming across as an arrogant jerk seeking to win some sort of pissing contest. i think it would be more than reasonable to suggest that i know more about networking and programming than 95% of the population; and i tend to feel, rightly or wrongly, that members of that 95% should respect my knowledge of these topics such that, if they're going to dismiss me, they're at least not doing so lightly. But i'm annoyed at myself, and my ego in particular, for feeling this way. To a certain extent i can justify myself by saying "Well, people's cavalier attitudes towards network security affect everyone with a 'net connection, and thus need to be addressed"; but in the end, i'm conscious that i'm driven just as much by a strong - probably immature - desire to not seem stupid or ignorant in areas in which i know that's not the case.
Meh. i need to build a bridge, but i don't have the blueprints yet . . . .
1. More specifically, when i pointed something out to him and said "i'm not sure if this is the best way to do it . . . . ?" he replied "I wouldn't have done it that way; but that's a better way of doing it"; and more generally, he remarked that he wished his students would write code like mine.
2. It was also suggested that it's pointless asking people not to send HTML email, that people do it and we should just deal with it. With that way of thinking, one might as well say that it's useless to ask users to choose strong passwords, rather than the usual mypetsname1 sort of stuff. Sure, one shouldn't rely solely on strong passwords, and should set up other security measures; but one still asks users to choose strong passwords with the hope that one's threat profile will be at least somewhat reduced.
i am frustrated by people continually making assumptions that i really don't know what i'm talking about.
i'm one of those weird people who isn't afraid to say "i don't know". In fact, i'm often disturbed by the number of things i don't know. i'm always seeking out new knowledge, across a variety of subjects. But my time and energy is limited, so sometimes i merely skim the surface of a subject so as to discover exactly what i don't know about that subject. A while back, a friend related a model of knowledge acquisition involving four stages: (1) not knowing that you don't know; (2) knowing that you don't know; (3) Knowing and not knowing that you know; (4) Knowing, and knowing it. (This article describes this process in more detail.) i feel that stage (1) is particularly dangerous, as it can lead us to adopt strong opinions and beliefs without any real support for them; hence, i like to avoid being in that stage wherever possible.
Having said that, i do actually have expertise in a few particular areas. i tend to downplay that expertise, at least partly because one characteristic of real experts is that, although they may have far more knowledge in a given subject than average, they have become aware of how much they don't know. It's like one of Murphy's Laws on Technology: "An expert is someone who knows more and more about less and less until zie knows everything about nothing."
One such area of expertise involves the field of IT. Now it's true i don't have any formal qualifications in the field: my highest qualification is a Bachelor of Arts degree, majoring in Women's Studies. But i'm an autodidact; and i have spent many years working with both the theoretical and practical aspects of computing. i got my first PC, an Amstrad PC1512, in 1986; i started using the 'net in 1994; i've been using Linux since 1997; i've professionally (re-)developed Web sites and databases. In one of the latter cases, other developers working in a different part of the same project assumed, when i said that i'd written an Access-based db app, that i'd merely strung some macros and forms together. So they were surprised to find 3000+ lines of VBA code involved - code that i'm reasonably sure wasn't too bad, since previous VBA code that i'd written, on another job, was taken over by a lecturer in VB/A programming who had positive things to say about it1. (Admittedly, it was only VBA, but still.)
Which brings me to the proximal cause of this rant, which involves network / Internet security.
sacred_harlot recently made a request to an e-list that she and i are both on, asking that people not send HTML emails - this Wikipedia article explains why. In the ensuing thread, implications were made that Google, via GMail, could be trusted to handle any malicious HTML (because Google knows about all security threats before they appear, and will rewrite emails accordingly! :-P ) and that any privacy and/or security threats posed by HTML emails can be trivially defeated by basic security measures such that one can view rendered HTML emails with impunity2. (The security measure i personally take is to disable HTML rendering in my mail client, the marvellous KMail - which negates the threat, but leaves emails looking like "<DIV><SPAN><FONT SIZE=2>Hello!</FONT></SPAN></DIV>".)Now i'm left wondering what those security measures might be. How are people protecting themselves from malformed HTML causing a buffer overflow in the HTML rendering engine? Address randomisation, perhaps? How are people protecting themselves from the loading of external references? KMail allows one to switch such loading off, but not everyone has an email client with such a facility. Blocking outgoing TCP port 80 is only an option if you're happy not accessing the Web. You could route requests through a proxy like Squid, and configure it to disallow requests to certain blacklisted URLs; but that's not a trivial task for most users.
But my point here is this: i'm not a dumb bunny when it comes to network security. i have a good idea of what i'm talking about, and so when i say HTML email can be problematic - even in the context of other security measures - i have good reason for doing so. Assuming that i'm a panicky ignoramus in this regard is *cough* not appropriate. My approach is based on the reading and/or work that i do every day regarding IT security.
The thing is, i don't know how to convey that i'm not (at worst) an idiot or (at best) naïve in a given subject area without coming across as an arrogant jerk seeking to win some sort of pissing contest. i think it would be more than reasonable to suggest that i know more about networking and programming than 95% of the population; and i tend to feel, rightly or wrongly, that members of that 95% should respect my knowledge of these topics such that, if they're going to dismiss me, they're at least not doing so lightly. But i'm annoyed at myself, and my ego in particular, for feeling this way. To a certain extent i can justify myself by saying "Well, people's cavalier attitudes towards network security affect everyone with a 'net connection, and thus need to be addressed"; but in the end, i'm conscious that i'm driven just as much by a strong - probably immature - desire to not seem stupid or ignorant in areas in which i know that's not the case.
Meh. i need to build a bridge, but i don't have the blueprints yet . . . .
1. More specifically, when i pointed something out to him and said "i'm not sure if this is the best way to do it . . . . ?" he replied "I wouldn't have done it that way; but that's a better way of doing it"; and more generally, he remarked that he wished his students would write code like mine.
2. It was also suggested that it's pointless asking people not to send HTML email, that people do it and we should just deal with it. With that way of thinking, one might as well say that it's useless to ask users to choose strong passwords, rather than the usual mypetsname1 sort of stuff. Sure, one shouldn't rely solely on strong passwords, and should set up other security measures; but one still asks users to choose strong passwords with the hope that one's threat profile will be at least somewhat reduced.
Re: to HTML or not HTML
Date: 2007-06-18 11:29 (UTC)Re: to HTML or not HTML
Date: 2007-06-19 07:46 (UTC)Re: to HTML or not HTML
Date: 2007-06-19 07:57 (UTC)But the sysadmin i was referring to was not you, nor someone that i understand to be a mod on that group - it was the person who, in that thread, signed himself "Cheery Sysadmin" on the post timestamped 2007-06-11, 00:50.
So no, i wasn't at all having a go at you or any other mods of that list. Sorry for the giving you that impression. :-((