Cranky

[flexibeast]

i'm very cranky at the moment. i need to rant. And yes, it's a hot button issue, and yes, i know it shouldn't be, and yes, i'm working on it.

i am frustrated by people continually making assumptions that i really don't know what i'm talking about.

i'm one of those weird people who isn't afraid to say "i don't know". In fact, i'm often disturbed by the number of things i don't know. i'm always seeking out new knowledge, across a variety of subjects. But my time and energy is limited, so sometimes i merely skim the surface of a subject so as to discover exactly what i don't know about that subject. A while back, a friend related a model of knowledge acquisition involving four stages: (1) not knowing that you don't know; (2) knowing that you don't know; (3) Knowing and not knowing that you know; (4) Knowing, and knowing it. (This article describes this process in more detail.) i feel that stage (1) is particularly dangerous, as it can lead us to adopt strong opinions and beliefs without any real support for them; hence, i like to avoid being in that stage wherever possible.

Having said that, i do actually have expertise in a few particular areas. i tend to downplay that expertise, at least partly because one characteristic of real experts is that, although they may have far more knowledge in a given subject than average, they have become aware of how much they don't know. It's like one of Murphy's Laws on Technology: "An expert is someone who knows more and more about less and less until zie knows everything about nothing."

One such area of expertise involves the field of IT. Now it's true i don't have any formal qualifications in the field: my highest qualification is a Bachelor of Arts degree, majoring in Women's Studies. But i'm an autodidact; and i have spent many years working with both the theoretical and practical aspects of computing. i got my first PC, an Amstrad PC1512, in 1986; i started using the 'net in 1994; i've been using Linux since 1997; i've professionally (re-)developed Web sites and databases. In one of the latter cases, other developers working in a different part of the same project assumed, when i said that i'd written an Access-based db app, that i'd merely strung some macros and forms together. So they were surprised to find 3000+ lines of VBA code involved - code that i'm reasonably sure wasn't too bad, since previous VBA code that i'd written, on another job, was taken over by a lecturer in VB/A programming who had positive things to say about it¹. (Admittedly, it was only VBA, but still.)

Which brings me to the proximal cause of this rant, which involves network / Internet security. sacred_harlot recently made a request to an e-list that she and i are both on, asking that people not send HTML emails - this Wikipedia article explains why. In the ensuing thread, implications were made that Google, via GMail, could be trusted to handle any malicious HTML (because Google knows about all security threats before they appear, and will rewrite emails accordingly! :-P ) and that any privacy and/or security threats posed by HTML emails can be trivially defeated by basic security measures such that one can view rendered HTML emails with impunity². (The security measure i personally take is to disable HTML rendering in my mail client, the marvellous KMail - which negates the threat, but leaves emails looking like "<DIV><SPAN><FONT SIZE=2>Hello!</FONT></SPAN></DIV>".)

Now i'm left wondering what those security measures might be. How are people protecting themselves from malformed HTML causing a buffer overflow in the HTML rendering engine? Address randomisation, perhaps? How are people protecting themselves from the loading of external references? KMail allows one to switch such loading off, but not everyone has an email client with such a facility. Blocking outgoing TCP port 80 is only an option if you're happy not accessing the Web. You could route requests through a proxy like Squid, and configure it to disallow requests to certain blacklisted URLs; but that's not a trivial task for most users.

But my point here is this: i'm not a dumb bunny when it comes to network security. i have a good idea of what i'm talking about, and so when i say HTML email can be problematic - even in the context of other security measures - i have good reason for doing so. Assuming that i'm a panicky ignoramus in this regard is *cough* not appropriate. My approach is based on the reading and/or work that i do every day regarding IT security.

The thing is, i don't know how to convey that i'm not (at worst) an idiot or (at best) naïve in a given subject area without coming across as an arrogant jerk seeking to win some sort of pissing contest. i think it would be more than reasonable to suggest that i know more about networking and programming than 95% of the population; and i tend to feel, rightly or wrongly, that members of that 95% should respect my knowledge of these topics such that, if they're going to dismiss me, they're at least not doing so lightly. But i'm annoyed at myself, and my ego in particular, for feeling this way. To a certain extent i can justify myself by saying "Well, people's cavalier attitudes towards network security affect everyone with a 'net connection, and thus need to be addressed"; but in the end, i'm conscious that i'm driven just as much by a strong - probably immature - desire to not seem stupid or ignorant in areas in which i know that's not the case.

Meh. i need to build a bridge, but i don't have the blueprints yet . . . .

---

1. More specifically, when i pointed something out to him and said "i'm not sure if this is the best way to do it . . . . ?" he replied "I wouldn't have done it that way; but that's a better way of doing it"; and more generally, he remarked that he wished his students would write code like mine.

2. It was also suggested that it's pointless asking people not to send HTML email, that people do it and we should just deal with it. With that way of thinking, one might as well say that it's useless to ask users to choose strong passwords, rather than the usual mypetsname1 sort of stuff. Sure, one shouldn't rely solely on strong passwords, and should set up other security measures; but one still asks users to choose strong passwords with the hope that one's threat profile will be at least somewhat reduced.
 

Comments

[cheshire-bitten.livejournal.com]

I am always amazed by the amount that I don't know, the amount of stuff that is out there and most people don't even realize exists

[winterkoninkje.livejournal.com]

One interesting thing about bright folks is that they're often aware of what they do and do not know and are perfectly willing to share either of those facts. Consequently, they tend to speak authoritatively on things they do know and tend to remain quiet on things they do not, since they do not. However, the majority of the population doesn't think that way and so interprets speaking with authority on any given topic as though one is speaking with authority on all topics (over-generalization fallacy), which isn't helped much by the fact that the bright folks tend to be quiet and listen when the topic is one they don't know much about.

Consequently, those self-aware bright folks tend to get labeled as arrogant more often than not. This's something that took me quite a while to come to terms with, especially being an autodidactic polymath. My current (arrogant) take on the matter is to offer my intelligence or ignorance at face value and leave it up to others to call me arrogant or not; if someone hates me for it, that's their problem not mine (though I do try not to be an ass about it). Surely there's some method of social engineering to make people more receptive, but I've found that people who are unwilling to listen to others who may possibly know better (or even just know differently) tend not to be worth the time to coddle into listening. YMMV and all that.

[winterkoninkje.livejournal.com]

And as for all the things I do know, every day I'm confronted with countless things I do not. If ever there comes a day when that's not the case, I'm obviously doing something very wrong with my life.

[flexibeast.livejournal.com]

*nod* i think the people that aren't amazed desperately need to develop a sense of perspective. :-) On the other hand, we know what happens when people are subjected to the Total Perspective Vortex. ;-)

[flexibeast.livejournal.com]

*nod* Excellent analysis!

[zhasper.livejournal.com]

Security is a process, note a state.

Restricting yourself to text-only email doesn't render you "secure", it renders you "less vulnerable to certain types of attack only possible in HTML emails".

There are other ways to avoid the attacks listed at http://en.wikipedia.org/wiki/HTML_email#Security_vulnerabilities. For instance - don't trust link text, but look at the destination of the link[1]. Don't load any images - Google won't load images in any email unless you explicitly tell it to do so (either for that email, or for all emails from that sender).

During periods of increased threats, the US DOD also orders all civilian aircraft to be grounded. Does this mean that having flying planes overhead is something that should be universally prohibited?

The spam thing.. that's not even a security vulnerability, that's an annoyance (and maybe a gullible-person vulnerability too, but that's not the topic here).

My point is not that you're wrong; my point is that you're also not right. Measures such as enforcing text-only email don't make you secure. They can minimise the range of attacks to which you're vulnerable, but you'll never get to the point of being totally secure. Also, you have to realise that steps such as enforcing text only email involve a tradeoff: as well as an decrease in vulnerability, they also create a decrease in utility. There are things that can be done with HTML emails that can't be done in text-only.

I don't think that people resisting text-only emails on mailing lists are doing so primarily because they doubt your expertise; usually, they're doing so because text-only emails deny them the chance to use their pretty colours, their fancy fonts, and to include that picture of Brad Pitt they've been lusting after all week. Also, having to copy-and-paste urls into a browser is more work than just clicking on a link - especially if you're already reading your email inside a web browser. In short, the users are aware that there's a tradeoff involved in moving to plain-text email, but they're not willing to make that tradeoff[2].

[1] That's not terribly useful either though - there are plenty of ways to disguise the target of a link, or to redirect you once you hit the link... Rasmus gave some scary examples of what can be done in his talk at LCA this year (Somewhere about 3/4 of the way through the talk, iirc).

[2] That said - I think most people are making that decision based on an incomplete understanding of the threats, and an incomplete understanding of the risk they're exposing themself to. But, if that's the cause, I feel it would be more appropriate for you to be upset at their lack of understanding, and work to make them understand, than to be upset at their choice.

[zhasper.livejournal.com]

And just in case I didn't make myself clear - Yes, prohibiting all aircraft would definitely make us more secure from certain types of threat. It wouldn't be terribly useful though, as it would still leave a very large range of threats that we were still exposed to - and it would have the effect of making long-distance travel much more expensive in both time and money.

It's a trade-off we aren't willing to make.

I'm not arguing that HTML email is "secure" or "safe". I do agree that there are attacks possible in HTML emails that aren't possible in plain-text emails. I don't think that disabling HTML email altogether is the only way to mitigate those risks though, and I definitely don't think that disabling HTML email altogether is always necessary.

[flexibeast.livejournal.com]

Yes, i read Bruce Schneier's writings too, and know that security is a process, and that security involves risk management and trade-offs. Nowhere in my post do i imply otherwise. Nor do i say anywhere in my post that 'total security' can ever be achieved (if you believe otherwise, please point me to the offending phrase / section / para etc. and i'll add a clarification, or do a rewrite if necessary). Indeed, the point i was trying to make on the e-list in question was that, despite some glib claims implying that security is easy, the reality is otherwise (as per the para in which i discuss malformed HTML being able to induce buffer overflows).

Sorry, but spam can represent a security issue, although in my posts to the e-list in question, i was discussing it primarily as a privacy issue (i.e. i don't want my email address appearing on spammer's lists of currently active email addresses due to Web beacons being placed in HTML emails). Spamming can result in DoS attacks (whether deliberate or otherwise) on various parts of a network (heck, i would argue that the fact that it's estimated that 75%+ of emails are spam is a DDoS attack in itself - it's consuming resources on networks, servers and hosts that could be used for other purposes). People responding to spam can deliberately or inadvertently provide information about themselves, the host and the network from which they respond. Social engineering is a security issue - perhaps one of the most important security issues. (Yes, i've read Kevin Mitnick too.)

Re. HTML email specifically - i know that most people don't know why it poses a threat. That's why, when sacred_harlot raised the issue on the list in question, i wrote a very polite email summarising why HTML is problematic. What annoyed me was having another sysadmin on the list (not a general user - a fact i should have made clear in my post) suggest that we just need to put other security measures in place, rather than asking people not to use HTML email.

Now i believe that many (but certainly not all) people use HTML email not necessarily because they actively choose to, but because that's the default setting in the default email app they're using - just like many people don't actively choose to use IE, but use it because it's the default browser for Win. Further, from what i've seen of the content of HTML email over the years, there are rarely any occasions where the benefits of HTML that you speak of were actually required (teens who 'need' pretty colours in their emails notwithstanding).

The thing is, you and i may have a good idea about IT security, and be aware of the range of security measures that one needs to take in an ongoing way to reduce (not eliminate) our threat profiles - but that's not the case for most people. And given that most people see security as a burden to be avoided wherever possible, i think it's much more feasible to ask people not to send HTML emails than to ask everyone to implement the sort of comprehensive security measures that you and i undertake - the former is much more likely to actually happen than the latter! Especially because i believe most people want to "do the right thing", and will often be willing to trade off the ability to italicise occasionally for the feeling that they're reducing their possible contribution to security problems on the 'net (and many, if not most, Win users will have had an experience of their box(en) being affected by 'net-based security issues).

[ Comment continued below . . . . ]

[flexibeast.livejournal.com]

[ Continued from previous comment . . . . ]

Nevertheless, i'm also fully aware that HTML email will continue to arrive in my inbox irrespective of my ongoing attempt at educating the general public around this issue. That's why i've turned HTML rendering off in KMail (which, by the way, also results in image loading being disabled). And more generally, that's hardly the only security measure i've taken on the networks i manage: not using Win at all eliminates entire classes of security problems; i only enable those services that are needed; i've manually configured iptables on 'net-facing machines to only accepted limited types of outgoing traffic, and even more limited types of incoming traffic; network-internal machines are NAT'd; i subscribe to vuln lists, noting where problems exist, and applying mitigatory (is that a word?) measures and/or patches where appropriate as soon as possible; i run rootkit checks; i keep an eye out for 'unusual' system behaviours; i read the RISKS digest; i educate my networks' users about strong passwords, phishing, HTTPS, certificates, CSRF, careful provision of personal information, etc.; and so on. And i'm also aware of a number of things i've chosen not to do - for example, running certain hardening and/or IDS systems.

Are there things i've not thought of? Almost surely. Do i feel i'm completely secure? Of course not. Do i still want to discourage people from sending HTML email? Yes, because it's not just me and my networks that i'm worried about, but the health of the 'net in general.

If i were to use an aircraft analogy, i'd say i'm not saying that people shouldn't fly at all, but to know what flight behaviours pose risks to themselves and others - and to know that although there are always risks associated with flying, one can continually take steps to reduce those risks somewhat.

to HTML or not HTML

[theuppitywoman.livejournal.com]

I think that the issue in question on e groups in particular is that the vast majority of people on them simply don't know or understand enough about how computers & the big wide net sctually work to be able to switch off the automatic HTML facility.

Should we therefore ban them from posting to groups (particularly the social & support groups) because they're not tech savvy??? I don't think so.

Re: to HTML or not HTML

[flexibeast.livejournal.com]

Should we therefore ban them from posting to groups (particularly the social & support groups) because they're not tech savvy??? I don't think so.

Where the hell did i say we should??? All i'm arguing is that it's reasonable to ask people to not send HTML email, explaining why as we do so (as you know i did on the list - and civilly, too). Please point to something i've written that substantiates your implication that i suggested that people who post HTML emails should be banned.

Re: to HTML or not HTML

[flexibeast.livejournal.com]

And just to make my position even more clear, i hereby reproduce something i wrote in a comment above (http://hierodule.livejournal.com/85806.html?thread=542510#t542510):

Re. HTML email specifically - i know that most people don't know why it poses a threat. That's why, when sacred_harlot raised the issue on the list in question, i wrote a very polite email summarising why HTML is problematic. What annoyed me was having another sysadmin on the list (not a general user - a fact i should have made clear in my post) suggest that we just need to put other security measures in place, rather than asking people not to use HTML email.

Now i believe that many (but certainly not all) people use HTML email not necessarily because they actively choose to, but because that's the default setting in the default email app they're using - just like many people don't actively choose to use IE, but use it because it's the default browser for Win. Further, from what i've seen of the content of HTML email over the years, there are rarely any occasions where the benefits of HTML that you speak of were actually required (teens who 'need' pretty colours in their emails notwithstanding).

The thing is, you and i may have a good idea about IT security, and be aware of the range of security measures that one needs to take in an ongoing way to reduce (not eliminate) our threat profiles - but that's not the case for most people. And given that most people see security as a burden to be avoided wherever possible, i think it's much more feasible to ask people not to send HTML emails than to ask everyone to implement the sort of comprehensive security measures that you and i undertake - the former is much more likely to actually happen than the latter! Especially because i believe most people want to "do the right thing", and will often be willing to trade off the ability to italicise occasionally for the feeling that they're reducing their possible contribution to security problems on the 'net (and many, if not most, Win users will have had an experience of their box(en) being affected by 'net-based security issues).

Re: to HTML or not HTML

[theuppitywoman.livejournal.com]

Well, you stated that it's unacceptable that "It was also suggested that it's pointless asking people not to send HTML email, that people do it and we should just deal with it."

Since there is no option to make all posts to the group in question automatically non-html, each individual member has to change the settings on their email sender to plain text. This is clearly beyond many people.

So the only options left to you are either:
1) to not engage in any e groups where people use html OR
2) spend all your time haranguing people about html- even though most of them haven't the faintest idea what you're on about & probably don't care anyway. OR
3) to ban people from using html

Re: to HTML or not HTML

[theuppitywoman.livejournal.com]

Yahoo groups don't actually have sysadmins- the owner (that'd be me in this case) & the moderators are just normal joes like everyone else in the group.

Re: to HTML or not HTML

[flexibeast.livejournal.com]

Well, option 2 is closest to where i'm coming from: to occasionally ask people not to send HTML email - usually when there's been a rash of it, as seemed to happen on the list recently - and explain why. It's exactly the same approach i take to educating people about IT security issues in general - if the opportunity arises for some education, i'll make the effort. Even if i get through to only a few people out of the many i'm addressing, i'll still have made a positive difference.

Re: to HTML or not HTML

[flexibeast.livejournal.com]

Yes, i know that. :-) - i have been the owner of two Yahoo! groups myself (currently only the owner of one, with ~150 members last time i looked).

But the sysadmin i was referring to was not you, nor someone that i understand to be a mod on that group - it was the person who, in that thread, signed himself "Cheery Sysadmin" on the post timestamped 2007-06-11, 00:50.

So no, i wasn't at all having a go at you or any other mods of that list. Sorry for the giving you that impression. :-((