[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Pan-users] HTML posting Was: Should "Go Next Watched Article" work?
From: |
Duncan |
Subject: |
[Pan-users] HTML posting Was: Should "Go Next Watched Article" work? |
Date: |
Fri, 27 Sep 2013 19:53:59 +0000 (UTC) |
User-agent: |
Pan/0.140 (Chocolate Salty Balls; GIT 6e6fd84 /usr/src/portage/src/egit-src/pan2) |
manthony-hrKqIoV4s10AvxtiuMwx3w posted on Fri, 27 Sep 2013 06:51:46 -0700
as excerpted:
> I tried your suggestion: View My Messages Only, then View Threads. It
> kinda works, but involves a lot of mouse clicking. I like the keyboard
> shortcuts better. I guess I'll stick with 0.14.2.91 for now.
Of course the mouse clicks can be turned into keyboard shortcuts, since
pan allows assigning keyboard accels to anything on the menu, but that
just makes it a lot of keyboard shortcuts instead of a lot of mouse
clicks.
But I do the keyboard shortcut thing with, for instance, the match only
unread articles option (assigned to "r" for "read", here), since viewing
unread-only is my normal mode of operation, but every once in awhile I
need to toggle it off to check a parent post or to lookup a thread from a
month ago to mention elsewhere or to post a link to (since gmane
conveniently has a web interface link to the post as an added header in
the message in the news interface). Then of course I'd have to toggle it
back afterward. So I use the function often enough to find a keyboard
shortcut for it handy indeed! =:^)
> WRT HTML malware, I suppose it's possible, but it seems that you would
> have to have pretty lax defaults for your browser and OS for that to
> really be a serious problem. I worry more about my email address
> leaking onto the Internet, and being deluged with offers to improve the
> size/function of my reproductive organs.
With email, one of the tricks spammers use to verify an address is
sending an HTML mail that references an image on their site. Since they
had the address in ordered to send you the spam in the first place but
just didn't know if it was still valid, they encode it in the query
string (sometimes as the bare address, sometimes obfuscated) and log the
requests for that image on their website. Anyone who opens that mail in
an HTML-capable mail client (at least one that doesn't have external
resource fetching turned off for email) now has their email address
logged as verified!! This sort of tracker image is called a web bug.
Sometimes (but not always) a web bug is only a 1x1 px transparent gif/png,
DESIGNED to add nothing to the visual appearance of the page as it's
invisible and too small to affect spacing much, making its only function
tracking. (Of course they can use the same technique for anything else
requested externally, a CSS file or javascript, for instance, but
javascript is turned off frequently enough that doesn't work as well,
unless they're actively fishing for low security readers! I'm not sure
how effective CSS web bugs would be compared to images.) Web bugs are
commonly used for browser tracking on the web as well, tho in that case
they don't normally have the email address available, but can still
correlate IP address and information such as browser used, etc.
In the newsgroups as on the web (but not in email), the email address
isn't generally available, but web bugs can still be used to measure how
many views a spam post gets on a particular group, etc, so they can see
which types of subject headers get people to click in which groups, and
how many hits they get from each group. And of course they have the IP
address that made the request, which they can cross-correlate with other
information to see what ISP and city it came from, and possibly with
unrelated browsing, etc.
Web bugs are technically spyware, not malware, but when only malware is
mentioned, it often includes spyware by implication -- it's still
tracking not authorized or consented to by the user being tracked, and
thus is malware in the broader sense.
Fortunately, some HTML capable mail and news clients turn off external
resource fetching by default, these days, but I wouldn't count on it if
you don't see the option available, and even then, I wouldn't necessarily
trust the option due to bugs, etc.
Then of course there's all the java/javascript/flash/etc vulnerabilities
that have been found over the years. If your mail/news client is
treating the message as simple plain text, data, not executable, that's a
whole class of vulnerabilities, indeed, the majority of browser related
vulnerabilities, it will not be subject to. If it's treating messages as
active HTML, just as it would a web page, and worse, if it's actually
executing the java/scripting/flash/etc...
Meanwhile, how many non-spam/non-malware messages actually NEED HTML to
deliver their message effectively? And for the ones that DO actually
need it, there's always the ability to post a link to a web page along
with a description of what the reader can expect to find there, and let
the READER decide whether it's worth clicking that link, or not.
Thus, it's basically only the spammers and malware posters that NEED HTML
to hide some of their filter avoidance tricks or to attempt exploits --
even if it's as simple as a web bug and won't actually do anything
horrible to the reader's machine, it's still non-consensual tracking and
information leakage. Other than that, the vast majority of users posting
in HTML simply don't realize the implications of what they are doing, and/
or simply don't care.
This is why some people, often group/list regulars who know the topic
well and otherwise might provide the best answers, killfile HTML posters
on sight. The argument is that at best, they're a technically illiterate
AOLer type who doesn't know or care the implications, and it's simply not
worth the time it takes to even see further messages from them... so they
arrange not to.
Here, I've seen even people who are normally HTML message averse get
caught-out unexpectedly posting it, when they're posting from their phone
or gmail or some client that unfortunately defaults to HTML and they just
lost their config resetting that to plain-text. That's yet another
reason not to choose a mail/news client that even processes HTML in the
first place -- in addition to the better security on the reader side, you
won't get caught-out posting it, that way. Between that and preferring
to give every poster at least one chance (hey, what can I say, I guess
I'm a bleeding heart in that regard), I do NOT killfile HTML on sight,
but I will if someone continues to post in HTML after a warning or two,
as to me, it's comparable to sliming your hand with snot and then
offering to shake hands (hey, for all I know that's the custom in some
weird tribe somewhere!) -- it's EXTREMELY offensive and disrespectful.
Yet still I prefer to give people that first chance, as for all I know
they /do/ come from that tribe where sliming one's hand with snot and
offering to shake hands is the custom.
Of course that doesn't mean I won't make sure I have on my latex gloves,
a client that doesn't parse HTML at all in this case, before I actually
/shake/ that offered slimy hand. =:^)
In that context, you can see why I consider HTML such an offense compared
to top posting. It's not that top posting is acceptable at all. It's
that HTML posts are so horribly unacceptable, that top posting pales in
comparison. Sort of like how the Syrians butchering each other isn't
really acceptable, but is sort of ignored/tolerated, while pulling out
the chemical weapons is considered an entirely different class of offense!
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman