[wilhelmtux-discussion] Code question re Microsoft's Digital Literacy tutorials (part of the IT-Fitness initiative)

Manfred Morgner manfred.morgner at gmx.net
Sat Oct 20 02:45:54 CEST 2007 

Hi Claude,

yes. If Mambo, Joomla! and others are _only_ working with Java- or  
other scripting- oder active elements, they are bringing there client  
(especially the Windows users) in danger. In my environment, the risk  
is minimal, because I only use one Browser with Scripting activated  
and this does not activate scripting in any other application. But  
Windows users are in danger if they are working with scripting active  
in the IE, because this means, they have activated scripting in other  
places where they do not expect it.

Teaching people to understand what they are doing with there  
computers will help - but honestly, if Web Service providers do not  
understand what they are doing, who would expect, that normal people/ 
simple users have any chance to understand anything?

I had an interesting discussion with HP, about 5 years in the past.  
They changed there service page to another URL and they forwarded to  
the new page using a JS statement! Simple HTML can do this since  
ages, but after a discussion for 2 month, HP was not willing to  
change or even enhance there old page with a simple HTML statement.  
HP wrote me, that there web service is secure and I don't need to  
worry about any danger, They didn't understand, that the internet is  
not the HP net and a web browser is used to browse the web, not only  
the HP site. So I gave up and delegated the service job to a  
colleague who didn't care about security.

Almost all people I know are willing to open there security settings  
if they wish to consume certain information or do anything specific  
with the internet. I do not. As customer I'm the one, who pays the  
other side, so I expect, that they do at least the simplest measures  
to protect me. If not - I will not even show them my money.  
Sometimes, if I'm relaxed enough, I write emails to such providers.  
During the last 7 years, the success rate increased from 0% to 50%,  
which is amazing!

But 1/2 year ago, Canon gave a bad example of extreme unwillingness  
to do the anything to protect me. So I gave up in requesting a 'pay  
back' payment of 230,- CHF after I found out, that they will deal  
with my bank account information unencrypted over the internet,  
sending my date to an contractor who was not named in any contract I  
had with Canon. I started my investigation because the Web Formular  
for this action showed some signs of insecure implementation and no  
sign of Canon - at first I thought 'pishing'. But I really wanted my  
money back! So I spend some time in find out how Canon will process  
my data.

And this is, what's behind my behavior: If a provider is not willing  
to _show_ me the willingness to protect me, I have to expect, that he  
will do more insecure actions behind the scene. Curious: Even if most  
of my friends are careless in internet security, no one of them was  
willing to get these 230,- CHF from Canon, after I described them,  
what they have to do to get it. Light at the end of the tunnel!

A last example: I'm a kind of Migros Friend and I have no Car. So, I  
would use the internet shop of Migros, 'http://www.leshop.ch'. But I  
can't. 3 or 4 years ago, they only supported IE and FF. I wrote them,  
that there message 'Your browser is incompatible with our online  
shop' was misleading, because there online shop was incompatible with  
other browsers. They understood and changed (at first) the error  
message and later there online shop, so you may use it with (I  
believe) any browser now. But - shit happens - only if you activate  
JS. So this is a 50% success story of my 'I could be your customer'  
emails. May be, this will change too - later, but as long as LeShop  
depends on active JS in my browser, ...  I should write a second  
Email to LeShop ;-)

Best regards,
Manfred.




Am 20.10.2007 um 01:35 schrieb Claude Almansi:

> Hi Manfred and All
>
> Thanks for your explanation, Manfred.  Does it mean that small firms
> that are having sites made with, say, Mambo, Joomla! and other CMS
> with ready-made modules, are putting their users / potential consumers
> at risk?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: Signierter Teil der Nachricht
Url : http://maillists.wilhelmtux.ch/pipermail/wilhelmtux-discussion/attachments/20071020/95129a02/PGP.pgp

More information about the wilhelmtux-discussion mailing list