Flash is evil
David Arnstein
features of Macromedia Flash:
http://story.news.yahoo.com/news?tmpl=story&cid=74&e=5&u=/cmp/20050401/tc_cmp/160400719
If the link doesn't work, the title of the article is "Company
Bypasses Cookie-Deleting Consumers."
Apparently, the company United Virtualities uses Flash "shared
objects" in place of cookies. The article links to a Macromedia web
page that explains how to control "shared objects." I thihk that I
will just remove Macromedia software instead.
I hope that the anti-spyware vendors will provide features to control
these "shared objects."
--
David Arnstein
arnstei...@pobox.com
lee
You can disable Flash, temporarily or permanently, using SpywareBlaster,
for example. This way, for sites you wish to enable flash, you can.
AvianFlux
at:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
Adjust your 'Global' and 'Website' security-privacy settings there.
Marko
> AvianFlux wrote
>
Agreed, however the option is only a right click away.
Cheers
Marko
Redmond du Barrymond
I'm safe. I don't allow the evil Flash player on my PC.
Tim Smith
arns...@panix.com (David Arnstein) wrote:
> If the link doesn't work, the title of the article is "Company
> Bypasses Cookie-Deleting Consumers."
>
> Apparently, the company United Virtualities uses Flash "shared
> objects" in place of cookies. The article links to a Macromedia web
> page that explains how to control "shared objects." I thihk that I
> will just remove Macromedia software instead.
>
> I hope that the anti-spyware vendors will provide features to control
> these "shared objects."
In the long run, it doesn't matter, as more and more people are getting
broadband, where they either have static IP addresses, or they have
dynamic addresses that very rarely change. Combine that with hard disk
space being dirt cheap, and pretty much everything that a site can do
with a cookie on your computer, they can do with a database on their
server.
--
--Tim Smith
Vanguard
news:d2kbmp$5ts$1...@reader1.panix.com...
Visit http://www.macromedia.com/ or any site that shows Flash content.
Right-click on the Flash content and select Settings. Click on the
Folder icon button. Set their cache to zero and check the box to
remember your setting. Flash uses its own cookie files which have the
.sol filetype.
If the web page you visit with Flash content has disabled user
configuration of some settings, visit Macromedia's online settings
manager at
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
(they have yet to deliver a seperate utility that you can run locally).
Unlike UI applications that open their own window, the mouse cursor will
not change when you hover over clickable objects in that web page; i.e.,
you click on the tab buttons to change between panels but you won't see
the mouse cursor change to indicate they are clickable. If you use the
Website Privacy Settings panel (5th tab) to clear the Flash cookies
(.sol files), not all are deleted as a file search will shows some still
around, one of which retains the settings you configured.
I use PopUpCop as my popup blocker (works better than the rest that I've
trialed) but haven't yet managed to convince its author to include .sol
files in its cookie whitelist feature (the author isn't familiar with
Flash cookies enough to want to touch them yet).
You don't need anti-spyware to eliminate the shared objects (i.e., .sol
cookie files that different domains can access). Just set the Flash
caches to zero then you have no locally saved shared objects.
--
____________________________________________________________
Post your replies to the newsgroup. Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
____________________________________________________________
Vanguard
news:lorr41trh0s98qeqo...@4ax.com...
Some sites only provide a Flash-enabled web page because they want to
hide how their web site is structured so some bozo with a web crawler or
spider can't steal their web site. You'll find that you won't be able
to visit those web sites. They may provide a non-Flash equivalent page
but they may not. Just like it is your choice not to install and
support Flash content, it is just as much a web site's owner choice not
to let you steal their web site pages. So far, I haven't hit many sites
that are Flash-only sites but I have hit some, like my own ISP's home
page which paints a page that Flash must be installed to view their home
page (they no longer provide a non-Flash version if the Flash detect
fails).
Some sites that provide some free service make up for it by revenue
garnered from ads on their pages (yeah, you might not like the spam but
then you shouldn't be using their free service) and will use Flash to
present those ads, and if you have Flash disabled so the ads don't
display then the site refuses to show you their web page. You get their
service for free but those resources cost them money and they don't work
for you, so don't visit there if your intent is to pickpocket.
You can decide to not install Flash. Just be aware that more site
authors are attempting to protect their copyrighted content by NOT using
simply HTML coding and relying on other mechanisms to secure their site
code, like using Flash to hide the code.
Redmond du Barrymond
>Some sites only provide a Flash-enabled web page because they want to
>hide how their web site is structured so some bozo with a web crawler or
>spider can't steal their web site.
That's right, and I have come across a few of those sites. I just
close my browser and say adios. No great loss.
Redmond du Barrymond
>You can decide to not install Flash. Just be aware that more site
>authors are attempting to protect their copyrighted content by NOT using
>simply HTML coding and relying on other mechanisms to secure their site
>code, like using Flash to hide the code.
http://www.useit.com/alertbox/20001029.html
Summary:
Although multimedia has its role on the Web, current Flash technology
tends to discourage usability for three reasons: it makes bad design
more likely, it breaks with the Web's fundamental interaction style,
and it consumes resources that would be better spent enhancing a
site's core value.
AvianFlux
Tim Smith wrote:
> In the long run, it doesn't matter, as more and more people are
getting
> broadband, where they either have static IP addresses, or they have
> dynamic addresses that very rarely change. Combine that with hard
disk
> space being dirt cheap, and pretty much everything that a site can do
> with a cookie on your computer, they can do with a database on their
> server.
>
>
> --
> --Tim Smith
There's something to be said for dial up connections.
One) It's cheaper.
Two) Can be accessed over any available phone line connection.
Three) More secure, anonymous, dynamic IP's.
I'm sticking with dial up. It's all I really need.
optikl
>
> Some sites only provide a Flash-enabled web page because they want to
> hide how their web site is structured so some bozo with a web crawler or
> spider can't steal their web site. You'll find that you won't be able
> to visit those web sites. They may provide a non-Flash equivalent page
> but they may not. Just like it is your choice not to install and
> support Flash content, it is just as much a web site's owner choice not
> to let you steal their web site pages. So far, I haven't hit many sites
> that are Flash-only sites but I have hit some, like my own ISP's home
> page which paints a page that Flash must be installed to view their home
> page (they no longer provide a non-Flash version if the Flash detect
> fails).
>
Vanguard, from the headers of your post, you appear to use Comcast. They
do have a non-flash version of their start pages. I was there yesterday
after turning flash off, via SpywareBlaster, for testing purposes. That
is, unless my meds were cranked way too high...
Miles
~~~~~~~~~~~~~~~~~~~~~~~~~
"AvianFlux" <neomo...@hotmail.com> wrote in message news:1112394939.2...@l41g2000cwc.googlegroups.com...
Vanguard
news:nL6dnbeu7NU...@comcast.com...
I started with Flash disabled. When visiting http://www.comcast.net, if
you disable Javascript then you won't get any of their home pages. All
you get is a white-on-blue page with just the text string "Please enable
Javascript in your browser to continue". So they refuse to provide a
non-Javascripted home page. If you enable Javascript but have cookies
blocked then their scripts screws up in continually retrying to detect
Flash which results in a super-long wait that eventually you abandon the
attempt to get a page. With Javascript and cookies enabled, you will
get their http://www.comcast.net/flashUpgrade.html page which tells you
that you need to install Flash to visit their site. There is a "Go to
Lite" link which will take you to their non-Flash home page at
http://www.comcast.net/lite/ (but I am not taken there automatically
when Flash detection fails). So:
1. They won't paint a page unless you have Javascript enabled.
2. Their scripts get stuck in a indefinite loop trying to detect Flash
if cookies are blocked.
3. With Javascript enabled (to get past their first detection) and with
cookies enabled (so their scripts work) but with Flash still disabled,
you get their page telling you to install Flash (with a link to their
"lite" non-Flash page).
Their "lite" page is a crappy design. They used to have a non-Flash
page that looked similar to their Flash page.
optikl
>
> Their "lite" page is a crappy design. They used to have a non-Flash
> page that looked similar to their Flash page.
Without question, it looks low-end.
AvianFlux
kb) allowable website storage, lock out camera & microphone remote
access, delete all existing Flash Media website's from the storage
files.
Right click on the 'Macromedia Flash Player Settings Manager' to launch
the Flash Media local settings control panel, and do the same thing
there.
Just disable, and set to 'None', every available feature, and
empty/delete the stored Flash Player files.
Jay T. Blocksom
arns...@panix.com (David Arnstein) wrote:
> This article from Yahoo/techweb describes a spying technique that uses
> features of Macromedia Flash:
>
[snip]
It's already being discussed in another thread:
Message-ID: <fo4r415inht3in9uv...@4ax.com>
(and f'ups thereto)
> I thihk that I will just remove Macromedia software instead.
>
[snip]
What took you so long to reach that decision?
Note the date on this article:
<http://www.extremetech.com/article2/0%2C1558%2C863408%2C00.asp>
> I hope that the anti-spyware vendors will provide features to control
> these "shared objects."
Unnecessary. The complete and totally effective cure is to simply not permit
Macromedia products to be installed on your system(s).
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
Jay T. Blocksom
<neomo...@hotmail.com> wrote:
> A solution is provided by 'Macromedia Flash Players Settings Manager'
> at:
>
> http://www.macromedia.[REDACTED]
>
> Adjust your 'Global' and 'Website' security-privacy settings there.
And you trust the wolf to guard your henhouse because...?
AvianFlux
Jay T. Blocksom wrote:
> And you trust the wolf to guard your henhouse because...?
Because Macromedia is a reputable firm as far as I know. They have
everything to loose and nothing to gain if they become known other
wise.
Do I trust them? No - I monitor them and everyone else.
Rick
news:jeuu41dqeqdeps2ol...@news.speakeasy.net:
>
> > I thihk that I will just remove Macromedia software instead.
>
> What took you so long to reach that decision?
>
> Note the date on this article:
>
> <http://www.extremetech.com/article2/0%2C1558%2C863408%2C00.asp>
Not that I'm overly fond of Macromedia, but the article you referenced is
dealing with Macrovision, not Macromedia. Two different companies as far as
I know.
--
Rick Simon rsi...@cris.com
Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
Jay T. Blocksom
<rsi...@cris.com> wrote:
>
[snip]
>
> Not that I'm overly fond of Macromedia, but the article you referenced is
> dealing with Macrovision, not Macromedia.
I'll be damned. You are absolutely right. Over the past couple of years I
must have read dozens articles on this issue (plus several re-reads of the
cited one, since I tend to use it to explain why C-Dilla/SafeCast is evil);
and each time I've mis-parsed that name in the same way. No doubt this was
due to the same sort of neurological short-circuit responsible for the cliche
about adding the same column of numbers several times, and coming up with the
same *wrong* answer each time (hence the common wisdom to add them from the
bottom up, when attempting to check your work).
Nonetheless, between the "Local Shared Objects" nonsense and this:
<http://www.roughlydrafted.com/flash1.html>
it's pretty clear that Macromedia stuff should still be avoided.
And of course, Macrovision is a scumware outfit/product, for all sorts of
reasons we already know about *plus* this one.
Thanks for pointing out my error.
Jay T. Blocksom
>
[snip]
>
> Some sites only provide a Flash-enabled web page
Then the authors and/or owners of those sites are incompetent, or malicious,
or both.
> because ...
[snip]
The "because" doesn't matter.
Any website which demands, for *whatever* reason, that I maintain trojanware
on my system is by definition beyond worthless.
> You can decide to not install Flash.
[snip]
Usually, yes. But be aware that many pre-packaged off-the-shelf systems sold
to consumers through mass-marketing channels like CompUSA, OfficeMax, etc.,
come pre-loaded with this trojanware. While the greatly preferable answer is
to simply not validate such sleazy tactics with your checkbook, some folks
will occasionally find themselves with little other practical choice. So it
becomes *vital* that the system be reconfigured (read: wipe the HDD and start
over from scratch; the presence of Flash is very probably the *least* of the
problems) *before* it is permitted to connect to the outside world.
> Just be aware that more site
> authors are attempting to protect their copyrighted content by NOT using
> simply HTML coding and relying on other mechanisms to secure their site
> code, like using Flash to hide the code.
Flash does not "hide" the site's HTML code. It is *executable* content that
is automatically downloaded to your system via links embedded in that HTML
code.
Jay T. Blocksom
<neomo...@hotmail.com> wrote:
>
[snip]
>
> There's something to be said for dial up connections.
>
> One) It's cheaper.
>
Nearly always, correct.
> Two) Can be accessed over any available phone line connection.
>
[snip]
Well, most of them. Office PBX systems can be problematic. The same used be
so for hotels, but now most of them offer at least a POTS jack for dial-up
us;, and those who cater to the "business traveler" often offer some form of
broadband connection (with WiFi fast becoming the most popular form, since it
is so cheap to install).
> Three) More secure, anonymous, dynamic IP's.
>
[snip]
Ooops! And you were doing so well, up to this point.
No. Dial-up is neither "more secure" (except perhaps in the "security by
obscurity" sense, which is always very poor security at best) or even close to
anonymous. And dynamic IP is not a distinguishing characteristic of dial-up,
since most "consumer broadband" (i.e., DSL and "cable modem") services also
use DHCP to assign dynamic IPs to their users.
> I'm sticking with dial up. It's all I really need.
That's fine. But don't kid yourself about what it does (and does not)
provide.
Vanguard
> On Sat, 2 Apr 2005 00:09:45 -0600, in <alt.privacy.spyware>,
> <Vanguard> wrote:
> >
> [snip]
> >
> > Some sites only provide a Flash-enabled web page
> [snip]
>
> Then the authors and/or owners of those sites are incompetent, or
> malicious,
> or both.
Well, gee, of course everyone in the world is coding their web site just
for you. Get real, buddy. The world doesn't revolve around you. The
author codes his web site based on the audience he/she wants to target.
If you are in that audience, I'm sure the web owner doesn't give a
gnat's fart about losing your visit there.
> > because ...
> [snip]
>
> The "because" doesn't matter.
So why even bother with HTML, XML, CSS, Javascript, or any of the other
technologies available for coding a web site. They should all just
write it all in plain text for lil ol' you.
> Any website which demands, for *whatever* reason, that I maintain
> trojanware
> on my system is by definition beyond worthless.
According to your definition, VisualBasic, C/C++, Pascal/Delphi, the
Windows API, the Linux API, and every operating system is trojanware
because it enables malcontents to develop programs.
> > You can decide to not install Flash.
> [snip]
>
> Usually, yes. But be aware that many pre-packaged off-the-shelf
> systems sold
> to consumers through mass-marketing channels like CompUSA, OfficeMax,
> etc.,
> come pre-loaded with this trojanware.
And a Big Mac comes with mayo and pickles unless you ask to exclude
them. A product is packaged according to the market in which it garners
the most sales. If you want to tailor your host, do so and stop buying
pre-packaged goods. Some puny marketshare doesn't want Flash
pre-installed and you really think commercial sellers will give a damn
about loss of sales to such a puny market? Time to up the dosage,
buddy.
> > Just be aware that more site
> > authors are attempting to protect their copyrighted content by NOT
> > using
> > simply HTML coding and relying on other mechanisms to secure their
> > site
> > code, like using Flash to hide the code.
>
> Flash does not "hide" the site's HTML code.
Who the hell said that Flash hides HTML code. Flash coding of the
server-side stream doesn't use HTML at all. It is not executable
content, either. It's about time for you to start educating yourself on
how Flash really works. Some idiot journalist posts an article to pad
their portfolio and you go screaming mantra about trojanware without
basis. You really don't know what is a Flash "shared object", do you?
Can you say COOKIE!? Geesh, I suppose you think the .txt files for
cookies are executables, too.
Did you even bother to read the article mentioned in the originating
post? Obviously not becuase the article even tells you how to disable
the cache used by Flash. The PIE is just a Flash cookie file (.sol)
saved on your drive, just like other cookies, that can be used to
rebuild the cookies that you deleted. Well, if you don't permit them
saving their persistent identification element (PIE), aka Flash cookie,
on your drive then you revisiting that same web site won't let them
rebuild a deleted cookie. Read my other post here if you really are
interested in how to prevent local storage of Flash shared objects. In
the same way that a script, AX, or program can make use of the data in
the .txt cookie files, the PIE-enabled web site that runs a Flash object
that reads the .sol cookie file for Flash can use its *data* -- that is
DATA -- to alter its behavior or rebuild prior information. So don't
let Flash leave .sol files on your host.
No, I don't program using Flash (I'm not a web designer) but it doesn't
take a whole hell of a lot of effort to just go checkout what are shared
objects for Flash. Guess you never bothered to right-click on a Flash
object in a web page to notice the Properties context menu and the
options you get.
Shared Objects: Flash MX Cookies
http://www.kirupa.com/developer/mx/sharedobjects.htm
Flash TechNote: What is a local Shared Object?
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_16194
AvianFlux
Dial-up dynamic IPs are more secure from directed hacks or DDoS. Where
broadband static/semi-static IPs that are fixed or change much less
frequently are more vulnerable. How often does DHCP assign new IPs to
their users? Once a day/a week/a month? Dial-up assigns a new IP with
each new logon to the ISP server.
Jay T. Blocksom
>
> "Jay T. Blocksom" <not.delivera...@appropriate-tech.net> wrote
> in message news:fcl0519k307gmtmu6...@news.speakeasy.net...
> > On Sat, 2 Apr 2005 00:09:45 -0600, in <alt.privacy.spyware>,
> > <Vanguard> wrote:
> > >
> > [snip]
> > >
> > > Some sites only provide a Flash-enabled web page
> > [snip]
> >
> > Then the authors and/or owners of those sites are incompetent, or
> > malicious,
> > or both.
>
> Well, gee, of course everyone in the world is coding their web site just
> for you. Get real, buddy. The world doesn't revolve around you.
I didn't say that it did; and your comment in no way relates to what I *did*
say.
> The
> author codes his web site based on the audience he/she wants to target.
[snip]
OK, let's assume for the moment that's correct. So it follows that if he
insists on that "audience" having trojanware installed, he's going after rank
idiots. Why would you want to be part of that crowd?
> If you are in that audience, I'm sure the web owner doesn't give a
> gnat's fart about losing your visit there.
>
[snip]
Huh?!?
If I'm part of the target audience, the site owner doesn't care if I visit or
not? How is that anything but self-contradictory?
> > > because ...
> > [snip]
> >
> > The "because" doesn't matter.
>
> So why even bother with HTML, XML, CSS, Javascript, or any of the other
> technologies available for coding a web site. They should all just
> write it all in plain text for lil ol' you.
>
[snip]
You are being facetious -- and missing the point by a country mile.
> > Any website which demands, for *whatever* reason, that I maintain
> > trojanware
> > on my system is by definition beyond worthless.
>
> According to your definition, VisualBasic, C/C++, Pascal/Delphi, the
> Windows API, the Linux API, and every operating system is trojanware
> because it enables malcontents to develop programs.
>
[snip]
Wrong. And I'll thank you to stop trying to put words in my mouth.
> > Usually, yes. But be aware that many pre-packaged off-the-shelf
> > systems sold
> > to consumers through mass-marketing channels like CompUSA, OfficeMax,
> > etc.,
> > come pre-loaded with this trojanware.
>
> And a Big Mac comes with mayo and pickles unless you ask to exclude
> them. A product is packaged according to the market in which it garners
> the most sales.
[snip]
And as is well-known in marketing circles, the biggest market is the lowest
common denominator -- i.e., the rank idiot. I repeat my question from above:
Why would you want to be part of that crowd?
> > > Just be aware that more site
> > > authors are attempting to protect their copyrighted content by NOT
> > > using
> > > simply HTML coding and relying on other mechanisms to secure their
> > > site
> > > code, like using Flash to hide the code.
> >
> > Flash does not "hide" the site's HTML code.
>
> Who the hell said that Flash hides HTML code.
[snip]
You did -- or at least, that's what you attempted to imply. See above.
> Flash coding of the
> server-side stream
[snip]
...is meaningless doublespeak.
Got any more "kewl" buzzwords you'd like to throw around at random?
> doesn't use HTML at all.
[snip]
Then how does the .SWF file get loaded by the browser, hmmm?
> It is not executable
> content, either.
[snip]
Yes, it is. It is tokenized cross-platform code, as opposed to
platform-specific binary, so it needs an interpreter (the Shockwave Flash
Player, in this case); but it *is* executable.
> It's about time for you to start educating yourself on
> how Flash really works.
[snip]
Physician, heal thyself.
> No, I don't program using Flash (I'm not a web designer)
[snip]
Didn't think so.
Jay T. Blocksom
<neomo...@hotmail.com> wrote:
>
> Jay T. Blocksom wrote:
[snip]
> >
> > No. Dial-up is neither "more secure" (except perhaps in the
> > "security by obscurity" sense, which is always very poor security at
> > best) or even close to anonymous. And dynamic IP is not a distinguishing
> > characteristic of dial-up, since most "consumer broadband" (i.e., DSL and
> > "cable modem") services also use DHCP to assign dynamic IPs to their
> > users.
> >
> > > I'm sticking with dial up. It's all I really need.
> >
> > That's fine. But don't kid yourself about what it does (and does
> > not) provide.
> >
> > --
> >
and learn to trim your posts correctly]
> Dial-up dynamic IPs are more secure from directed hacks or DDoS.
[snip]
Those are two rather different things; but to the extent that they are
similar, they are also straw men (at least in this context). Such "directed"
attacks are very rarely aimed at individual end-users, regardless of the type
of connection said user may use. If you are running a very "visible" web site
or other public service (such as a DNSbl, for example), *that* is what may
attract such a "directed" attack; but then, you would not be doing this from a
dial-up anyway, so it's a moot point.
> Where
> broadband static/semi-static IPs that are fixed or change much less
> frequently are more vulnerable.
[snip]
This is simply an Old Wives' Tale.
It's not the "relatively stable IP" that makes most "consumer broadband"
connections a security issue; it their relatively high bandwidth and "always
on" characteristic, combined with the typically (grossly) misconfigured system
("administered" by an idiot) that is hung off the loose end of the string.
As stated above, the only type of "attack" that such "stable" addresses would
make (near-trivially) more convenient are not a practical concern for at least
most end-users anyway. So, moving on...
> How often does DHCP assign new IPs to
> their users? Once a day/a week/a month? Dial-up assigns a new IP with
> each new logon to the ISP server.
True, but irrelevant.
This is what I was referring to when I mentioned "security by obscurity"; and
it is essentially useless against the *only* "outside attack" threats most
end-users will ever be exposed to.
The *vast* majority (way better than 99%) of the attacks seen by end-users are
essentially random in nature -- the product of port-scanning 'bots and various
worms that are *constantly* looking for targets anywhere they can find them.
To these very mindless processes, an IP address is an IP address is an IP
address; it matters not whether said address is static or dynamic, or served
through a 56Kbps dial-up or a 2.5Gbps OC-48. It is not unreasonable to think
of it simply as "background noise", because it is *always* there, any time you
connect to the outside world[1].
If at any given moment the noise gets too loud, it can effectively constitute
"sort of" a DDoS attack; but even when this happens, the attack is not being
directed at you specifically. Similarly, if you happen to be connected when a
"magic packet" happens along (as they do quite regularly, if not as often as
some other types of malicious traffic), and your underlying system is
vulnerable to such things, then your system will likely lock up or crash. The
functional mechanics of this particular nastygram make it somewhat closer to a
true DoS attack; but it is still just part of the "random noise" of the
internet, and is *not* being "directed" at you in particular.
It inescapably follows from this that the likelihood of being "hit" by any of
these "robo-attacks" during any given minute online is NOT dependant on
whether you were or were not connected the minute before ("chance has no
memory") or whether your IP address has changed recently. Yes, you can reduce
your total exposure somewhat by reducing the amount of time you spend
connected; and indeed, dial-up would seem to accomplish that end. But the
thing is, there is *so* much of this sort of "random malicious traffic"
floating around at all times[2] that even if you were to connect for only 5
minutes at a time, it is near-certain that you would get hit several times
during each connection. So in the end, it's still not *really* any more
secure.
Footnotes:
[1] - Or even to "only" your own ISP, for that matter. In many cases, most of
the traffic from these 'bots and worms that you actually see will be sourced
from *within* your own ISP's network, due to border-router filtering
implemented by your ISP that is not effective *within* the network.
[2] - I mostly blame irresponsibly lazy/skinflint ISPs for this sad state of
affairs. They *could* effectively put an end to at least the vast majority of
this crap, *if* they wanted to; as the saying goes, it's not rocket science.
It wouldn't even cost all that much -- but it wouldn't be free; and in the
ultra-competitive and horridly low-margin ISP industry, any "security" measure
that costs more than a nickel simply won't happen unless it is absolutely
necessary to keep their network functioning, or there is a very visible public
outcry.
Vanguard
> > It is not executable
> > content, either.
> [snip]
>
> Yes, it is. It is tokenized cross-platform code, as opposed to
> platform-specific binary, so it needs an interpreter (the Shockwave
> Flash
> Player, in this case); but it *is* executable.
Didn't realize you were confused about the topic. I was talking about
the shared objects (i.e., the Flash .sol cookie files), not about the
intrepeter that locally executes the applet which then reads these data
cookie files. JVM is not evil because an applet you download does
something you might not want, like announce to you your own IP address
under the pretense that it is exposed. Word isn't evil because it can
run macros: anti-virus programs scan using signatures against macros
rather than block macros altogether.
Flash isn't evil. The shared objects (data cookies) aren't evil since
you can even choose to simply not keep them. The applet you download
might be "evil". While IE has an option to prompt you when an AX
control is to get downloaded, it doesn't have a similar option regarding
Flash/Shockware .swf files and its cookie management does not extend to
.sol files. So, right now, your choices are: as a workaround, allow
.swf files but block the local storage of shared objects (by zeroing the
cache size) to render PIE ineffective; or, block Flash altogether (by
not installing it); or, kill all ActiveX support in the browser or use
one that doesn't support ActiveX.
Avoiding all Flash content because of the potential "evil" of PIE,
especially when the workaround nullifies it, is like avoiding contact
with all humans because some are nasty (and, yep, for some folks that
has been their choice to be shut-ins). Of course, those ranting the sky
is falling because Flash is running on their systems and proselytizing
that Flash is evil and must never be installed really should be using a
browser that doesn't permit ActiveX controls at all, like Firefox.
After all, to them the problem isn't just with Flash but rather with all
ActiveX functionality. They could kill off all ActiveX support in IE,
too, and Java, and scripting, and ... well, maybe they should just be
using Lynx or some other text-only browser for safe surfing or even more
effective is to stay off the Internet and become a shut-in. If you
can't handle something like a data cookie file or bother to configure a
zero sized cache then you'll be a victim of far worse nasties on the
Internet. For those users, PIE would be the least of their problems.
Flash provides interactive movies. Since you inferred that you are a
Flash programmer, are the functions or methods available within Flash
less potent than those in a Java applet or more potent? While Flash
applets might be considered more stable than java applets, I thought
Flash applets were less potent (i.e., you can do more with Java than
Flash). Are the methods within the client-side Flash applet (.swf file)
executed locally, or are their actions effected at the server which then
alters the graphic content sent to the local Flash object (i.e.,
interactive movies with the actions sent to and committed on the server,
so the Flash applet is just the UI to execute server-side actions)?
ActiveScripting is the scripting language used by Flash, but its
description to provide interactive movies is that it is used for two-way
communications back to the Flash *server*. There do appear to be some
script commands that perform a local function, like controlling the
progression of a movie so it just doesn't play from frame 1 to the last
frame and then just repeat or stop there. While the program within the
applet is executed locally, it seems that its actions must be performed
back at the Flash server. The FSCommand method lets the applet use
scripting but I thought that was to use Javascript functions specific to
Flash movies.
I'm still trying to find where are these big evil nasties in the Flash
AX control that has some folks screaming that the sky is falling. I
already know that shared objects is not the nasty that has been claimed
in this thread. If the the Flash Javascript API (JSAPI) didn't restrict
the called Javscript objects to act only upon the Flash movie then there
would be potential for abuse (as far as Javascript can be abused).
Since the ActionScript language lets you write scripts to perform
actions in the Macromedia Flash Player environment (that is, while a SWF
file is playing), and since JSAPI is called from ActionScript commands,
it seems the Javascript only applies against the movie. The DOM
(document object model) for the Flash JavaScript API consists of a set
of top-level functions and the top-level flash object. So far, it seems
to be a well-protected program execution environment.
Someone writes a Flash applet that downloads from their server host to
your client host to safely execute its code locally within a protected
Flash environ which reads a PIE *data* file (the .sol cookie) to rebuild
a .txt cookie (which seems redundant and superfluous, anyway, since
they'd already have the info from the .sol file) but which is obviated
by setting the client-side caching to zero so there never was a PIE
cookie file to read, anyway. So where's the problem? That users don't
even bother to look on how to configure the settings for their Flash
player? How many times have you seen a lazy poster in the newsgroups
asking about OE blocking access to e-mail attachments simply because
they don't bother checking for an applicable option in the program that
alters its behavior?
Set the Flash player's local cache size to zero. The article mentioned
in the originating post already gave a link on how to do that. Problem
gone.
Jay T. Blocksom
>
> "Jay T. Blocksom" <not.delivera...@appropriate-tech.net> wrote
> in message news:ism9519a6jjfjho22...@news.speakeasy.net...
> > > It is not executable
> > > content, either.
> > [snip]
> >
> > Yes, it is. It is tokenized cross-platform code, as opposed to
> > platform-specific binary, so it needs an interpreter (the Shockwave
> > Flash
> > Player, in this case); but it *is* executable.
>
> Didn't realize you were confused about the topic. I was talking about
> the shared objects (i.e., the Flash .sol cookie files), not about the
> intrepeter that locally executes the applet which then reads these data
> cookie files.
I am not and was not confused about the topic; although I apparently did
"misunderstand" your meaningless gobbledygook buzzword-dropping. Here are the
*complete* quotes:
[From my Message-ID: <fcl0519k307gmtmu6...@news.speakeasy.net>]
--> > Just be aware that more site
--> > authors are attempting to protect their copyrighted content by NOT
--> > using simply HTML coding and relying on other mechanisms to secure
--> > their site code, like using Flash to hide the code.
-->
--> Flash does not "hide" the site's HTML code. It is *executable* content
--> that is automatically downloaded to your system via links embedded in
--> that HTML code.
[From your Message-ID: <dradnQSRjL6...@comcast.com>]
--> > > Just be aware that more site
--> > > authors are attempting to protect their copyrighted content by NOT
--> > > using
--> > > simply HTML coding and relying on other mechanisms to secure their
--> > > site
--> > > code, like using Flash to hide the code.
--> >
--> > Flash does not "hide" the site's HTML code.
-->
--> Who the hell said that Flash hides HTML code. Flash coding of the
--> server-side stream doesn't use HTML at all. It is not executable
--> content, either.
Despite the meaningless gobbledygook buzzword-dropping, it seems pretty clear
to me that the "topic" under discussion in these passages is Flash in general,
not one specific function of it in particular.
Then, two rounds of follow-ups later, you claim we were really talking about
something else, which wasn't even mentioned in the pertinent passages.
Riiiiiight.
> Flash isn't evil.
[snip]
That's your opinion.
My opinion is that, at the least, the presence of the (current) Flash
interpreter on your system enables evil things to be done. The fact that an
astute and alert user (which is by definition a rare bird) can (sometimes,
maybe) mitigate the damage through various "workarounds" does not change that.
Further, the company promoting and profiting from your (and everyone else)
having the Flash interpreter on your system is clearly going in the wrong
direction, in terms of the issues generally considered important in this forum
(cf. <http://www.roughlydrafted.com/flash1.html>, if you have any doubt about
that). Hence, the prudent, responsible, and (especially) ethical course of
action is to boycott that company's products en toto.
> Since you inferred that you are a
> Flash programmer,
[snip]
I "inferred" no such thing. I didn't imply it either.
Why do you make stuff up out of whole cloth?
Vanguard
> On Thu, 7 Apr 2005 11:17:39 -0500, in <alt.privacy.spyware>,
> <Vanguard> wrote:
>
> Despite the meaningless gobbledygook buzzword-dropping, it seems
> pretty clear
> to me that the "topic" under discussion in these passages is Flash in
> general,
> not one specific function of it in particular.
>
> Then, two rounds of follow-ups later, you claim we were really talking
> about
> something else, which wasn't even mentioned in the pertinent passages.
The OP mentioned the article. The article mentioned shared objects. In
other posts, I noted how to zero the cache so you won't save any, and
the article mentioned a link to do that, too. Yeah, I was way
off-topic, uh huh. And, of course, it is always possible to discuss the
data files used by an applet without ever referring to the applet or the
interpeter for it.
>
> Riiiiiight.
>
> > Flash isn't evil.
> [snip]
>
> That's your opinion.
>
> My opinion is that, at the least, the presence of the (current) Flash
> interpreter on your system enables evil things to be done.
And by similar application of your rationale, korn shell with its
scripting ability, Perl interpreters that can run scripts, Word that can
run macros, or anything that "enable evil things to be done", which
includes even the operating system, are evil. Okay, disconnect and nuke
your computer. You don't get to use rationale on one interpreter
without the same logic applying against all of them. I'm not saying
that you must have Flash, anymore than I'm saying that you need Perl,
Korn, Word, Java, or any other code enabling product, but I don't think
a lot of folks want to regress back to flipping switches on an Altair
box.
> The fact that an
> astute and alert user (which is by definition a rare bird) can
> (sometimes,
> maybe) mitigate the damage through various "workarounds" does not
> change that.
Yes, only the astute can ever figure out to look at the options for a
program. As the topic grows through discussion and publication, more
users will be made aware of how to configure the Flash player based on
their interpretation of the supposed threat. But telling user to simply
wipe Flash from their system does them an inservice because it takes the
extreme approach while leaving them ignorant of the simple fix. So
instead of educating them on how to avoid the problem should they deem
it actually is one, your solution is to leave them ignorant and push out
a flat and uninformative "uninstall it" solution. The users don't have
to be rocket scientists to just be reminded that there are options
available for most programs that they use, and that includes the Flash
player, too.
When and if PIE actually gets implemented, the topic will be much more
discussed and it won't take some astute user that figures out how to
bother looking at the options to know how to eliminate the problem.
Your solution: wipe Flash from the computer. The real solution: set the
cache size to zero. Your solution: can never view any Flash content
again. The real solution: they get to use Flash without any potential
for abuse (which surmounts to just tracking them) from storing shared
objects. With your logic, since there is a flaw then it must be
abandoned, and that would apply to Windows itself - AND it would apply
to every other operating system since none are perfect; else, patches
would never be available.
> Further, the company promoting and profiting from your (and everyone
> else)
> having the Flash interpreter on your system is clearly going in the
> wrong
> direction, in terms of the issues generally considered important in
> this forum
> (cf. <http://www.roughlydrafted.com/flash1.html>, if you have any
> doubt about
> that). Hence, the prudent, responsible, and (especially) ethical
> course of
> action is to boycott that company's products en toto.
Macromedia isn't responsbile for what behavior the coding performs from
someone else, anymore than Borland is responsible for virus or spyware
developed using their C compiler, no more than you are responsible for
how any product that you have produced gets misused by some hacker or
malcontent. Imagine trying to sue Vinton Cerf
(http://web.mit.edu/invent/iow/cerf.html) just because he helped develop
TCP which resulted in enabling the spread of porn, spam, spyware,
viruses, and other malware. Most likely will be that Macromedia will
provide another option (yep, you'll probably have to be one of those
oh-so astute users that actually look at options) regarding PIE-enabled
web sites for those user that still want to locally cache some shared
objects. From what I've seen described of PIE, it will actually
identify itself, so the Flash player could be configured to prompt the
user just like the browser now allows prompting for cookies, or the user
could just configure to always accept or always reject. Until then, set
the cache to zero. Of course, Macromedia might just take the stance
that, hey, it is just another applet reading a data file that any applet
can do regarding the .sol files and this is just one particular case of
that scenario, and just leave us with the global option to never save
shared objects rather than trying to target just one domain. Actually,
you can already target just one domain to zero out any storage of shared
objects from just that domain but, alas, again that's a configurable
option and must surely be outside the realm of the typical user who is
already held hostage by all those other options in all those other
programs that they also run.
Telling users it is an option is no more rocket science than the same
folks, like you, telling them to uninstall it or always refuse to accept
its download and install, or telling them about any other option.
>
> > Since you inferred that you are a
> > Flash programmer,
> [snip]
>
> I "inferred" no such thing. I didn't imply it either.
>
> Why do you make stuff up out of whole cloth?
Sorry, my bad. I figured if you knew that I was wrong about the zero
cache solution which was also mentioned in the article in the OP and
also described at Macromedia that somehow you had more privy knowledge
of how Flash works than what is documented for it.
You don't like Flash and really do consider it evil because it "enables"
malcontents or the less moral to do things that you don't like. I don't
understand why that same logic doesn't apply against almost everything
else that falls under the title of "software". I figure Flash is okay
if you configure its behavior the way that you want it to behave. I
didn't abandon Outlook because they changed the pane layout to something
that I didn't like - because there was an option to make its layout the
way that I do like. You don't like Flash, but is it responsible to tell
users to simply uninstall it, or instead tell them that they can
configure it using an option to avoid the problem altogether (and
perhaps mention uninstalling it as the extreme solution)?
There are viruses that sit in the local Java cache and your solution
would be to uninstall the JVM rather than just flush the cache (and
optionally disable it). After all, the JVM "enables evil things to be
done". Oh wait, since it is an option then only astute users can retain
the product while altering its behavior. Yeah, toss the baby out with
the dirty bath water. Amazing how initiative is assumed dead everywhere
and no one ever considers to even bother to go look.
Vanguard
news:bk9e519u4jd9ndtt2...@4ax.com...
> On Fri, 08 Apr 2005 19:42:20 -0500, Nospam <nob...@nowhere.com> wrotg:
>
>>On Fri, 1 Apr 2005 23:55:34 -0600, <Vanguard> wrotg:
>>
>>
>>>
>>>Visit http://www.macromedia.com/ or any site that shows Flash
>>>content.
>>>Right-click on the Flash content and select Settings. Click on the
>>>Folder icon button. Set their cache to zero and check the box to
>>>remember your setting. Flash uses its own cookie files which have
>>>the
>>>.sol filetype.
>>>
>>>If the web page you visit with Flash content has disabled user
>>>configuration of some settings, visit Macromedia's online settings
>>>manager at
>>>http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
>>>(they have yet to deliver a seperate utility that you can run
>>>locally).
>>>Unlike UI applications that open their own window, the mouse cursor
>>>will
>>>not change when you hover over clickable objects in that web page;
>>>i.e.,
>>>you click on the tab buttons to change between panels but you won't
>>>see
>>>the mouse cursor change to indicate they are clickable. If you use
>>>the
>>>Website Privacy Settings panel (5th tab) to clear the Flash cookies
>>>(.sol files), not all are deleted as a file search will shows some
>>>still
>>>around, one of which retains the settings you configured.
>>>
>>>I use PopUpCop as my popup blocker (works better than the rest that
>>>I've
>>>trialed) but haven't yet managed to convince its author to include
>>>.sol
>>>files in its cookie whitelist feature (the author isn't familiar with
>>>Flash cookies enough to want to touch them yet).
>>>
>>>You don't need anti-spyware to eliminate the shared objects (i.e.,
>>>.sol
>>>cookie files that different domains can access). Just set the Flash
>>>caches to zero then you have no locally saved shared objects.
>>
>>The Macromedia page you referenced shows Flash 2.6. I have Flash 2.7
>>and I can
>>find NO such setting for a global basis. The settings box is only for
>>the site
>>currently being visited (macromedia.com in this case). How do I deny
>>shared
>>objects globally with 2.7?
>
> Actually, Vanguard I read your post again more carefully. Macromedia's
> site is
> so cryptic I didn't understand what you were saying. I "think" I have
> things
> configured correctly now.
>
> Thanks.
Because the cursor doesn't change shape, users aren't made aware of the
clickable spots on that page (when I first visited there, I thought they
were just showing me a picture of the settings manager and I kept
hunting around for a download). I have asked Macromedia to provide a
local client program that allows the user to change Flash settings
without using their web site. Their method requires you to be online
and visit their web site to make changes to the settings (beyond the
default ones included by the Flash settings when right-clicking on Flash
content). Their response is "we're working on it." That was a couple
months ago but obviously Flash has been around awhile and still no local
client program to configure Flash without having to go online.
--
____________________________________________________________
** Post your replies to the newsgroup - Share with others **
For e-mail Reply: remove "NIXTHIS", add "#VS811" to Subject.
____________________________________________________________
Mandy Abbett
> [snip quoted sig -- please fix your newsreader to respect sig
> delimiters, and learn to trim your posts correctly]
>
And your sig is RFC compliant ?
Mandy Abbett
> On Sun, 03 Apr 2005 12:53:13 GMT, in <alt.privacy.spyware>, Rick
> <rsi...@cris.com> wrote:
> >
> [snip]
> >
> > Not that I'm overly fond of Macromedia, but the article you
> > referenced is
> > dealing with Macrovision, not Macromedia.
> [snip]
>
> I'll be damned. You are absolutely right. <snip>
> Thanks for pointing out my error.
>
And that type of issue leaves your credibilty where Jay ?
Vanguard
news:Xns9633DB2C9...@news.xtra.co.nz...
Just curious. What about Jay's signature is not RFC compliant? The
sigdash delimiter is "-- <CR-LF>" (dash, dash, space, newline). There
is no restriction that another sigdash string cannot appear somewhere
after their first sigdash; i.e., all further sigdash strings are
irrelevant since the start of the signature has already been delimited.
It is *recommended* that a signature be limited to 3 or 4 lines, not
including the sigdash line itself. It is not a requirement, only a
suggestion (and a good one, too), especially since it is simply an
agreed upon netiquette and not a standard. Being longer than 3 or 4
lines does not make a signature non-compliant since it was not a
REQUIRED or MUST condition.
Oh, and in just what RFC is the sigdash even defined? The sigdash is a
de facto standard, not an RFC standard. Someone know an RFC that
defines the sigdash delimiter *and* specifies any structure per REQUIRED
or MUST conditions?
Vanguard
news:MPG.1cc247afc...@news.readfreenews.net...
> <Vanguard> wrote
>
>
>> > And your sig is RFC compliant ?
>> >
>> >
>> Just curious. What about Jay's signature is not RFC compliant? The
>> sigdash delimiter is "-- <CR-LF>" (dash, dash, space, newline).
>> There
>> is no restriction that another sigdash string cannot appear somewhere
>> after their first sigdash; i.e., all further sigdash strings are
>> irrelevant since the start of the signature has already been
>> delimited.
>> It is *recommended* that a signature be limited to 3 or 4 lines, not
>> including the sigdash line itself. It is not a requirement, only a
>> suggestion (and a good one, too), especially since it is simply an
>> agreed upon netiquette and not a standard. Being longer than 3 or 4
>> lines does not make a signature non-compliant since it was not a
>> REQUIRED or MUST condition.
>>
>> Oh, and in just what RFC is the sigdash even defined? The sigdash is
>> a
>> de facto standard, not an RFC standard. Someone know an RFC that
>> defines the sigdash delimiter *and* specifies any structure per
>> REQUIRED
>> or MUST conditions?
>>
>>
>
> replies are <space> *>* <space> - the first <space> shouldn't be
> there.
>
>
>
RFC 1036 for Usenet messages (which obsoletes RFC 850) doesn't define
quoting. RFC 977 for NNTP defines the transfer protocol and not the
message content or formatting. Many of the standards for formatting
come from e-mail, so I looked at RFC 2822 but it had nothing about
quoting [the original message]. Eventually I found RFC 3676 which says
the quote line must start with the ">" character so a leading space
violates the RFC.
Jay is using Forte Agent which their users claim is more compliant than
OE. It seems odd that Xnews (what Mandy uses) or Gravity (what you use)
can't figure out how to parse quoted content by detecting a line that
starts with the quoting character while ignoring any whitespace before
it. I figure if OE can handle it than most other common NNTP clients
should handle it, too. Since I'm using Outlook Express, I'm pretty sure
something that is non-compliant in my posts, too.
Jay T. Blocksom
Yes, actually, it is.
Jay T. Blocksom
<spam_me_if_u_can@[0.0.0.0]> wrote:
>
[snip]
>
> And that type of issue leaves your credibilty where Jay ?
Still way ahead of your's, troll.
*plonk*
Jay T. Blocksom
>
[snip]
>
> RFC 1036 for Usenet messages (which obsoletes RFC 850) doesn't define
> quoting. RFC 977 for NNTP defines the transfer protocol and not the
> message content or formatting. Many of the standards for formatting
> come from e-mail, so I looked at RFC 2822 but it had nothing about
> quoting [the original message]. Eventually I found RFC 3676 which says
> the quote line must start with the ">" character so a leading space
> violates the RFC.
>
All quite correct, except for the omission of one salient detail: The ">"
character is only canonical as a quote indicator in the context of, and the
requirement for it to be the first character of a quoted line is only relevant
to, MIME Content-Type: "format=flowed" documents, which these Usenet articles
are not.
> Jay is using Forte Agent which their users claim is more compliant than
> OE.
[snip]
Correct. But then, a ground slug would likely be more RFC-compliant than
Outhouse Excuse. <~>
Vanguard
If RFC 3676 which defines quoting only applies for MIME encoding then,
by your own argument, you are using quoting when it doesn't apply.
Basically you screwed yourself in your argument: quoting only applies
with MIME, you're not using MIME so you should not be using quoting its
conventions, but you do use quoting. Maybe you know of another RFC that
defines quoting that is not in any way related to MIME or mentions it.
Of course, Jay's 12-line signature isn't exactly de facto standard,
either. The sigdash is not RFC defined but the common netiquette or de
facto standard is to keep it under 3 or 4 lines, which is a a third of
Jay's signature line count.
Is the problem that Forte actually forcibly prepends a space character
before the leading quote character? Or did you redefine the quoting
sequence to add a space before the quote character? OE won't do it but
I thought Forte would compress the quoting to eliminate unnecessary and
space-wasting spaces between the quote characters. So when you replied
to a reply, the leading double indention would look like ">>" instead of
"> >", triple indention would look like ">>>" instead of "> > >", and so
forth. Since your prior post with double indention looks like " > >"
then it looks like YOU reconfigured Forte to deliberately change the
quote character from ">" to " >" (i.e., you change it from one character
to a 2-character string).
--
____________________________________________________________
** Post your replies to the newsgroup - Share with others **
For e-mail Reply: remove "DELETE", add "~VN56~" to Subject.
____________________________________________________________
Vanguard
> <Vanguard> wrote
>
>
>> Is the problem that Forte actually forcibly prepends a space
>> character
>> before the leading quote character? Or did you redefine the quoting
>> sequence to add a space before the quote character? OE won't do it
>> but
>> I thought Forte would compress the quoting to eliminate unnecessary
>> and
>> space-wasting spaces between the quote characters. So when you
>> replied
>> to a reply, the leading double indention would look like ">>" instead
>> of
>> "> >", triple indention would look like ">>>" instead of "> > >", and
>> so
>> forth. Since your prior post with double indention looks like " > >"
>> then it looks like YOU reconfigured Forte to deliberately change the
>> quote character from ">" to " >" (i.e., you change it from one
>> character
>> to a 2-character string).
>>
>>
>
>
> 3.1 Which character should I use to mark the quoted text?
> Use the "Greater-Than" character (">"). This character is
> recognized as a quotationmark by almost every newsreader and is
> mentioned in the netiquette as such for technical reasons (Son-
> Of-RFC 1036 and successors).
In RFC 1036, it discusses the various headers and transfer mechanisms
but I saw nothing about how to handle inclusion of original content in a
reply (i.e., quoting).
Articles, like the one above at the link, are not standards, nor is this
one even really a synopsis of netiquette that has become a de facto
standard. The Net is rife with articles on what conventions are used
regarding quoting, like
http://members.fortunecity.com/nnqweb/nquote.html (and note question &
answer #11). Since such conventions may change over time, an NNTP
client that has been abandoned or been stagnant won't keep pace with the
changes or its code maintained to correct bugs or alter behavior to
conform. Gravity got abandoned quite awhile ago but looks like it got
picked up by enthusiasts and is now at
http://sourceforge.net/projects/mpgravity/. Did you get it from there?
They have forums (http://sourceforge.net/forum/?group_id=95245) where
you might want to ask why Gravity cannot ignore contiguous whitespace
characters before the quote character; however, there are so few posts
there that you probably won't get a response. You could post a bug
report to see what, if any, response you get from the developers. You
might also want to ask over in the alt.usenet.offline-reader and
alt.usenet.offline-reader groups.
In trying to find something that shows standardization or a
representation of a de facto standard, RFC 3676 was the closest that I
could find despite that its context is primarily for use with MIME
encoding (although there may be no MIME parts within the body of the
message since the content type and formatting can be specified globally
by headers). The fact that NNTP clients let users select which
character to use for quoting or even specify a string of characters
reflects the fact that there is no substantive standard available that
dictates exactly how quoting is always to be performed.
While there is the common netiquette regarding many Usenet conventions
(which are not themselves defined standards by a recognized authority),
Jay decided to be non-conventional. That's like some posters that
change the quote character to "|" or ":" instead of ">". While most of
would prefer to compress the quote indents to eliminate spaces, Jay (or
Forte) choose to add more space.
Vanguard
> <Vanguard> wrote
>> Gravity got abandoned quite awhile ago but looks like it got
>> picked up by enthusiasts and is now at
>> http://sourceforge.net/projects/mpgravity/. Did you get it from
>> there?
>
> developing it. Other people have taken it up
> http://lightning.prohosting.com/~tbates/gravity/
That's a (personal page) mirror site, so you probably have the latest
version of Gravity. Another mirror is at http://gravity.tbates.org/.
> Using a space isn't standard - that's it - period.
Yeah, by your own standard or due to the behavior by your particular
NNTP client. One user and one NNTP client do not a standard make even
for a de facto standard (de facto standards or conventions require the
consensus of a population larger than one). Have you tried other NNTP
clients, like Thunderbird, XanaNews, Forte, and Xnews, to see if they
are just as incapable of handling leading contiguous whitespace before
the quote character? How does the Gravity not "format correctly in
[your] newsreader"? Have you e-mailed Tom to find out his stance on why
Gravity doesn't work right? Otherwise, you might want to ask in the
newsgroups already mentioned before (and the same ones that Tom suggests
to visit; he suggests putting "Gravity" in the Subject field). Could be
it is a known issue with that program or something the programmer(s)
just didn't think of.
Jay T. Blocksom
<m...@privacy.net> wrote:
>
[snip]
>
> I read dozens of Usenet posts every day. Only one person replies
> with a space at the beginning of the line. I've never seen it
> done before - it's not my problem. It's certainly not a problem
> that a hobby programmer should waste time on.
> He knows he's fucking around - if he doesn't want his posts to be
> readable - no problem - they won't be read.
>
Not "f*cking around"; see my most-recent f'up to "Vanguard" in this thread for
the genesis of my particular quoting style. And FWIW... If you find my
articles to be "unreadable", then your newsreader is seriously broken.
Jay T. Blocksom
wrote:
>
> "Jay T. Blocksom" <not.delivera...@appropriate-tech.net> wrote
> in message news:mh2o51pashsmauo6f...@news.speakeasy.net...
> >
> > All quite correct, except for the omission of one salient detail: The
> > ">" character is only canonical as a quote indicator in the context of,
> > and the requirement for it to be the first character of a quoted line is
> > only relevant to, MIME Content-Type: "format=flowed" documents, which
> > these Usenet articles are not.
> >
>
> If RFC 3676 which defines quoting only applies for MIME encoding then,
> by your own argument, you are using quoting when it doesn't apply.
> Basically you screwed yourself in your argument: quoting only applies
> with MIME, you're not using MIME so you should not be using quoting its
> conventions, but you do use quoting.
Bzzzzt. Wrong, Thanks for playing.
It's quite obvious you do not understand the very RFC you're waving around.
First, "quoting", per se, is a long-established custom in text-based
electronic messaging -- a custom which predates that RFC by a *wide* margin
(and probably Usenet itself, for that matter).
Second, and even ignoring that, the RFC in question does NOT "define quoting";
it merely defines _one_method_ of quoting, and does so *only* in one very
specific context, for a very specific reason which is only relevant in that
context.
Third, the RFC in question is NOT applicable to MIME-format messages in
general, let alone Usenet (or e-mail) messages in general. As was clearly
stated earlier, it is applicable *ONLY* to MIME Content-Type: "format=flowed"
documents.
And finally... My quoting style has been developed over a period of more than
20 years, going back to the BBS-echomail circuits of the early '80s. That
"style", including such details as the specific quote-prefix string, is
designed to optimize readability on as wide a variety of equipment as
reasonably possible -- including that which does not make any distinction for
"color" (such as TTY terminals used to telnet into an NNTP server, or any true
text-mode newsreader, for that matter), or even such layout-specific details
as character spacing, for that matter (such as the text-to-speech synthesizers
often used by visually impaired users). So, while I'm not carving anything in
granite, I'm also not inclined to change it at this point for the sake of
accommodating the idiosyncracies of some provably-awful Johnny-come-lately
"newsreader" (like Outhouse Excuse, for example).
Vanguard
Irrelevant.
> It's quite obvious you do not understand the very RFC you're waving
> around.
And it is obvious you do not understand that RFCs regarding Usenet
standards also refer back to RFCs regarding e-mail standards. For
example, RFC 850, "Standard for Interchange of USENET Messages", refers
to RFC 822, which was obsoleted by RFC 2822, "Internet Message Format",
which specifies the syntax for electronic mail messages.
I did not say that RFC 3676 which discusses quoting style within MIME
content actually applied against Usenet postings. I said it was the
only RFC that I've found so far that actually defines quoting style and
that I never found an RFC that standardized quoting style outside of
MIME.
So the only "standard" regarding quoting style (strictly outside of
MIME) is a de facto standard or conventional use over time. As such,
and because that de facto standard itself is never succinctly defined by
a recognized overruling authority, it is up to interpretation. Of all
the posts that I have seen that using quoting, yours has been the first
where a leading space was added by that sender. Does Forte actually
come pre-configured with a leading space to the quote character (and
changing it from a single character to a 2-character string)?
> First, "quoting", per se, is a long-established custom in text-based
> electronic messaging -- a custom which predates that RFC by a *wide*
> margin
> (and probably Usenet itself, for that matter).
Is there another RFC that addresses standardization of quoting style for
non-MIME messages? If a standard doesn't exist then anyone can use
anything, as is illustrated by your altered quoting style.
> And finally... My quoting style has been developed over a period of
> more than
> 20 years,
Which is unique to you because no one else that I've seen posting
regardless of which NNTP client they use are prepending a space to the
quote character.
> That "style", including such details as the specific quote-prefix
> string, is
> designed to optimize readability on as wide a variety of equipment as
> reasonably possible -- including that which does not make any
> distinction for
> "color" (such as TTY terminals used to telnet into an NNTP server, or
> any true
> text-mode newsreader, for that matter), or even such layout-specific
> details
> as character spacing, for that matter (such as the text-to-speech
> synthesizers
> often used by visually impaired users).
The debate is not over the use of quoting or even which character is
used for the quote character (since even that is variable since no
authoritative standard exists). The debate is over you adding a space
BEFORE the quote character.
> I'm also not inclined to change it at this point for the sake of
> accommodating the idiosyncracies of some provably-awful
> Johnny-come-lately
> "newsreader" (like Outhouse Excuse, for example).
Outlook Express doesn't have a problem displaying your posts that have a
space prepended to the quote character. Far Canal is the one having the
problem with formatting because of your unique quoting style which does
not appear conformant to the de facto convention. I would agree that it
is the fault of his NNTP client, Gravity, of not being able to ignore
contiguous whitespace characters before the quote character and he will
have to contact the programmer's to fix that. But that behavior (of
ingoring preceding contiguous whitespace characters) is needed only to
obviate irregular quoting styles. From what I've seen so far describing
the Usenet standard for quoting, the quote character must be in position
1 on the line, and a space character is not allowed to be a quoting
character (i.e., it must be a visible and printable character).
Oh, and since Usenet convention is to limit the signature to 3 or 4
lines, you aren't conformant there, either. Because there are no
authoritative standards regarding quoting (outside of MIME) or
signatures, it's not that your style is wrong (you can't be wrong if
there is no rule to disobey) but rather that they are non-conventional
based on those same de facto standards you extol regarding netiquette.
http://www.newsreaders.com/guide/sigs.html
"Signatures, or "sigs" should be short, typically no more than 3 or 4
lines, ..."
http://www.xs4all.nl/~js/gnksa/gnksa.txt
Good Netkeeping Seal of Approval
"Separate signatures correctly, and don't use excessive ones"
"A widely accepted standard is the so-called McQuary limit: up to 4
lines, each up to a maximum of 80 characters."
I'm sure there are lots of articles around claiming to define the de
facto conventions but since you profess to be the expert then you
already know that prepending a space to the quote character and
appending excessive signatures is non-conformant with those
non-authoritative standards. Since the RFCs are often established to
standardize long-standing conventions, it is surprising that these
topics have not been standardized. Maybe it infringes on the
"creativity" (i.e., non-standardness) that so many would prefer to
exercise as it would, for example, cut down on all those signatures with
cutsy irrelevant message-of-the-day quips being added to the signatures,
or using them to bloat the poster's ego as though anyone cares about
their mini-resumé, or to slide in some covert spam under the guise of a
help post. We certainly don't want to use a consistent de facto quoting
style that is recognized by all NNTP clients regardless of your personal
opinions declaring everything else is shit other than the god-like
wisdom you exercised in your choice of an NNTP client. Rather we want
the developers to code lots more to handle all those abnormal or
"creative" quoting styles. Even if Gravity were the only NNTP client
that did not handle space(s) prepended to the quote character, how does
that alter the fact that the de facto convention that I've seen starts
with a visible and printable quote character, not a space? The lack of
one NNTP client to detect and handle a particular peculiar quoting style
is not the fault of the NNTP client but rather of the poster's
non-conventional quoting style.
So beyond all the arguments as to what is or is not standard based on an
RFC or some unwritten conventions, why do you feel that you must prepend
a space before the quote character? I think yours is the first that
I've seen where the poster actually added more whitespace (and before
the quote character) rather using the convention or actually trying to
compress out any spaces.
David Arnstein
AvianFlux <neomo...@hotmail.com> wrote:
>A solution is provided by 'Macromedia Flash Players Settings Manager'
>at:
>
>http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
>
>Adjust your 'Global' and 'Website' security-privacy settings there.
Thanks for the link, but here's the problem. I set my golbal
security-privacy settings to the most conservative settings. A few
days later, I use this method to look at the settings again. They
have ALL been reset to their default (non-secure) values! This is
VERY repeatable.
I'll say it again. Flash is evil. I'll add: the publishers of same
are swine.
--
David Arnstein
arnstei...@pobox.com