Comment by pessimizer
13 hours ago
> What is the purported lesson we should have learned?
Not to automatically execute things within data that we have been sent.
13 hours ago
> What is the purported lesson we should have learned?
Not to automatically execute things within data that we have been sent.
The subtle lesson, which we won't learn is [astronaut meme] all communication is potentially remote code execution. This isn't a computer thing, it's in the inherent nature of how communication works for us too. You can be more or less careful, but you can't eliminate the problem entirely or else communicating ceases to be effective.
Hey, you! Stop executing code in my head!
I think it's "don't use parsers written in unsafe languages".
I think it's simpler: don't touch untrusted content unless/until you need to.
But that just moves it from 0-touch, to 1-touch (which is of course better).
But users are morons.
We STILL NOW, have people getting phished and pwning their employers.
Alas, there are a lot of things that you need to touch that are untrusted.
That's easy, and already done. Phones only touch untrusted content when they need to, it's just that they need to touch it immediately upon receipt