RE: [xml-dev] Turn Off Automatic Script Activation In Outlook (WA S RE: [xml-dev ] Painful USA Today article (was RE: [xml-dev] ANN: R ESTT utorial))

["Bullard, Claude L (Len)" <clbullar@ingr.com>]

I mean social engineering in the sense that they advertise 
interoperation then turn it off to protect the unskilled 
or insufficiently knowlegeable.  The web and even the home 
systems are lab experiments that escaped the lab into 
a population that innocently bought into the massive hype 
but were not aware of the dangers.  I disagree that this 
is not related to virus writers; they are exploiting it 
criminally.  The rest of your example comes down to 
inconvenience that will prompt some learning on the 
customer's part, but not criminal acts.

I agree it turned out that the environment was far more 
hostile than some realized or wanted to admit although 
some of the original community pointed it out.  How that 
happened is a different topic and one the MS engineers 
and staff should discuss among themselves.  That it happened 
has become a problem for all of us.  It is somewhat similar 
to the introduction of smallpox to the aboriginal Americas. 
It infested a population unaware of how to protect and 
not knowledgeable of the need to protect.   The same kind 
of problem decimated the original Hawaiian population. It 
produced unacceptable results, but largely by accident.

But we have to be clear that hostility by a group is 
not a legitimate expression of free speech.  In other 
words, MS did a dumb thing.  Exploiting a dumb thing 
by attacking the systems of their customers is not 
dumb: it is criminal, similar to giving smallpox 
infested blankets to the aboriginal Americans.

The goals are to get MS to turn these features off 
by default; clearly explain the risks of turning them 
on.  This is a case where the greater good for the 
greater number is to turn it off because we are seeing 
a multiplicative effect across the global environment.

A related by cause and effect but not intent goal 
is to come to grips with the reality that an architecture 
which insists anonymity is a first concern will protect 
criminals.  Anonymity is a problem.  Is it a right?  
I don't have a clear picture of this issue but it is 
obvious that it can be exploited by criminals in such 
a way as to make the web a risky technology for the 
society that uses it.   We have a bigger problem than 
MS leaving on a feature by default.

len


From: Frank Richards [mailto:frank@therichards.org]

What you call "social engineering" sounds to me like trivial attention to good design.

Let us assume a totally 'benevolent' (literally 'well wishing') environment. The benefits of live content
running automatically largely accrue to users in large enterprises where big apps are set up to use it.
End user systems in those environments are configured by pros, who know what to do, and are going
to either script or look at all the settings anyway.

The dangers of INADVERTANT settings changes or file clobbers (yeah it's rare now, but this started with win95 which
is very brittle), or just having an attached MP3 play after you've just gotten the baby down for a nap, largely
accrue to the home users who don't want to have to diddle with settings (this isn't social engineering, it's giiving the
customer what they both want and need) and frequently don't know how to reconfigure anyway..

It was a dumb move, even if viruses had never been invented.