[NTLUG:Discuss] Executable Content Considered Harmful

Christopher Browne cbbrowne at hex.net
Sun May 7 12:11:51 CDT 2000 

On Sun, 07 May 2000 10:38:08 CDT, the world broke into rejoicing as
Richard Cobbe <cobbe at directlink.net>  said:
> Lo, on Friday, 5 May, 2000, Christopher Browne did write:
> 
> > But there were similar problems before the days of Windows.
> 
> <SNIP>
> 
> > 2.  Emacs editors (GNU Emacs and XEmacs) both provide the ability to
> >     attach "variables," executable by the editor, to documents.
> > 
> >     This is quite useful if you want to, say, use a customized
> >     electric-C mode for editing programs.  When you load a source code
> >     file into the editor, it provides instructions to the editor as to
> >     what indentation policy to apply and such.
> > 
> >     This is fairly well-documented as providing a "hole."  If you bring
> >     in files from just anywhere, you should _not_ set up Emacs to
> >     automatically evaluate such variables, as there is the risk of
> >     someone dropping in nefarious code.
> 
> I'm thinking I should probably lock this down, since I use emacs almost
> exclusively, even as root....  How does one disable this feature?  And
> does disabling this also break the -*- foo -*- bit to throw the buffer into
> foo-mode?

Nope; if you don't *know* that you've activated (enable-local-eval), then
you probably haven't.  Look for it in your .emacs file; I expect it's not
set.

(enable-local-eval) doesn't affect choosing modes; it affects setting
variables based on configuration in the file.  Picking a major/minor
mode doesn't involve doing anything nefarious, so _that_ is not a big
risk, and thus it is not affected by the variable evaluation.

So no, "setting variables" doesn't do anything to break -*- C-mode -*-.

> > 3.  Web pages do exactly the same thing; ECMAScript code that "sucks"
> >     your web browser in to front pages of porn web servers is another
> >     example of this.  When you can't close browser windows without another
> >     one popping open to head somewhere lurid, that's another example of
> >     this situation.
> 
> Right.  I actually look upon this as one of the beneficial side effects of
> the love letter virus and variants.  Javascript, IM(NS)HO, should be
> obliterated from the face of the planet; ILOVEYOU was just helping it
> along!
>
> <big grin for the humor-impaired>
> 
> I should probably point out that I don't really know Java/ECMAScript, so I
> can't comment on the language based on its own merits.  However, as Chris
> points out, it is frequently used for things that are pointless, annoying,
> harassing, or any combination of the above.

Indeed.

And I was just thinking, even if the Microsoft claims that "what hurts
MSFT hurts the US economy" are true, this doesn't mean that DOJ action
against MSFT is, in the long run, hurtful to the US economy.

A different way to view it _that is fairly legitimate_ is that if all
the Microsoft claims about their importance in the economy are true, then
this clearly displays that the economy is being "held hostage" to the needs
of MSFT.  _THAT IS A BAD THING._  There may be temporary ill effects in
remedying the overdependancy of the economy on MSFT products, but in order
to maintain a _healthy_ economy, this is necessary nonetheless.

A drug addict, dependent on crack cocaine, will find that eliminating it
from their diet is tough to cope with, for a time.  But this is a step
towards life and health.  ;-]  The comparison isn't perfect; I'd really
rather not use such an extreme example of dependancy.

--
Any programmer who fails to comply with the standard naming, formatting,
or commenting conventions should be shot.  If it so happens that it is
inconvenient to shoot him, then he is to be politely requested to recode
his program in adherence to the above standard.
-- Michael Spier, Digital Equipment Corporation
cbbrowne at ntlug.org - <http://www.hex.net/~cbbrowne/lsf.html>

More information about the Discuss mailing list