... ciao:
: on "6-24-2013" "Jeffrey Walton" writ:
: On Fri, Jun 21, 2013 at 5:40 PM, Packet Storm
: <bugtraq@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
: >From the write-up:
: ]] It was clear that Facebook attacked the disclosure flaw properly, but
: ]] concerns still remain about the fact that dossiers are being built
: If you don't want your data analyzed, inspected, shared, mishandled,
: lost or stolen, then don't provide to social networking experiments,
: clouds and drop boxes in the first place.
that advice is as sage, as it is misplaced. preaching to the choir
comes to mind. my concern, is the congregation that has no clue as to the
implications of the message.
for example: the thought of someone running 'arbitrary code' is a
really scary prospect to me, but to most, 'arbitrary' means, "doesn't
matter". i am at something of a loss in understanding 'why' the "user"
community less concerned than it is. it would be partially correct to
'blame' it for its addiction to fluff.
however, 'pdf', 'js', et al, have a robust history as attack vector.
'that' is not the user's fault, but it is "our" dilemma. i have a hunch,
any meaningful solution, is going to put the 'middlemen', between a rock
and a hard place. the 'i ching' warns against 'blaming someone' for what
they do not know. that suggests 'we' either "educate", or "protect" if
we're serious in what we'er doing ...
--
... it's not what you see ,
but in stead , notice ...
