manthony-hrKqIoV4s10AvxtiuMwx3w posted on Fri, 27 Sep 2013 06:51:46 -0700 as excerpted:
> I tried your suggestion: View My Messages Only, then View Threads. It > kinda works, but involves a lot of mouse clicking. I like the keyboard > shortcuts better. I guess I'll stick with 0.14.2.91 for now. Of course the mouse clicks can be turned into keyboard shortcuts, since pan allows assigning keyboard accels to anything on the menu, but that just makes it a lot of keyboard shortcuts instead of a lot of mouse clicks. But I do the keyboard shortcut thing with, for instance, the match only unread articles option (assigned to "r" for "read", here), since viewing unread-only is my normal mode of operation, but every once in awhile I need to toggle it off to check a parent post or to lookup a thread from a month ago to mention elsewhere or to post a link to (since gmane conveniently has a web interface link to the post as an added header in the message in the news interface). Then of course I'd have to toggle it back afterward. So I use the function often enough to find a keyboard shortcut for it handy indeed! =:^) > WRT HTML malware, I suppose it's possible, but it seems that you would > have to have pretty lax defaults for your browser and OS for that to > really be a serious problem. I worry more about my email address > leaking onto the Internet, and being deluged with offers to improve the > size/function of my reproductive organs. With email, one of the tricks spammers use to verify an address is sending an HTML mail that references an image on their site. Since they had the address in ordered to send you the spam in the first place but just didn't know if it was still valid, they encode it in the query string (sometimes as the bare address, sometimes obfuscated) and log the requests for that image on their website. Anyone who opens that mail in an HTML-capable mail client (at least one that doesn't have external resource fetching turned off for email) now has their email address logged as verified!! This sort of tracker image is called a web bug. Sometimes (but not always) a web bug is only a 1x1 px transparent gif/png, DESIGNED to add nothing to the visual appearance of the page as it's invisible and too small to affect spacing much, making its only function tracking. (Of course they can use the same technique for anything else requested externally, a CSS file or javascript, for instance, but javascript is turned off frequently enough that doesn't work as well, unless they're actively fishing for low security readers! I'm not sure how effective CSS web bugs would be compared to images.) Web bugs are commonly used for browser tracking on the web as well, tho in that case they don't normally have the email address available, but can still correlate IP address and information such as browser used, etc. In the newsgroups as on the web (but not in email), the email address isn't generally available, but web bugs can still be used to measure how many views a spam post gets on a particular group, etc, so they can see which types of subject headers get people to click in which groups, and how many hits they get from each group. And of course they have the IP address that made the request, which they can cross-correlate with other information to see what ISP and city it came from, and possibly with unrelated browsing, etc. Web bugs are technically spyware, not malware, but when only malware is mentioned, it often includes spyware by implication -- it's still tracking not authorized or consented to by the user being tracked, and thus is malware in the broader sense. Fortunately, some HTML capable mail and news clients turn off external resource fetching by default, these days, but I wouldn't count on it if you don't see the option available, and even then, I wouldn't necessarily trust the option due to bugs, etc. Then of course there's all the java/javascript/flash/etc vulnerabilities that have been found over the years. If your mail/news client is treating the message as simple plain text, data, not executable, that's a whole class of vulnerabilities, indeed, the majority of browser related vulnerabilities, it will not be subject to. If it's treating messages as active HTML, just as it would a web page, and worse, if it's actually executing the java/scripting/flash/etc... Meanwhile, how many non-spam/non-malware messages actually NEED HTML to deliver their message effectively? And for the ones that DO actually need it, there's always the ability to post a link to a web page along with a description of what the reader can expect to find there, and let the READER decide whether it's worth clicking that link, or not. Thus, it's basically only the spammers and malware posters that NEED HTML to hide some of their filter avoidance tricks or to attempt exploits -- even if it's as simple as a web bug and won't actually do anything horrible to the reader's machine, it's still non-consensual tracking and information leakage. Other than that, the vast majority of users posting in HTML simply don't realize the implications of what they are doing, and/ or simply don't care. This is why some people, often group/list regulars who know the topic well and otherwise might provide the best answers, killfile HTML posters on sight. The argument is that at best, they're a technically illiterate AOLer type who doesn't know or care the implications, and it's simply not worth the time it takes to even see further messages from them... so they arrange not to. Here, I've seen even people who are normally HTML message averse get caught-out unexpectedly posting it, when they're posting from their phone or gmail or some client that unfortunately defaults to HTML and they just lost their config resetting that to plain-text. That's yet another reason not to choose a mail/news client that even processes HTML in the first place -- in addition to the better security on the reader side, you won't get caught-out posting it, that way. Between that and preferring to give every poster at least one chance (hey, what can I say, I guess I'm a bleeding heart in that regard), I do NOT killfile HTML on sight, but I will if someone continues to post in HTML after a warning or two, as to me, it's comparable to sliming your hand with snot and then offering to shake hands (hey, for all I know that's the custom in some weird tribe somewhere!) -- it's EXTREMELY offensive and disrespectful. Yet still I prefer to give people that first chance, as for all I know they /do/ come from that tribe where sliming one's hand with snot and offering to shake hands is the custom. Of course that doesn't mean I won't make sure I have on my latex gloves, a client that doesn't parse HTML at all in this case, before I actually /shake/ that offered slimy hand. =:^) In that context, you can see why I consider HTML such an offense compared to top posting. It's not that top posting is acceptable at all. It's that HTML posts are so horribly unacceptable, that top posting pales in comparison. Sort of like how the Syrians butchering each other isn't really acceptable, but is sort of ignored/tolerated, while pulling out the chemical weapons is considered an entirely different class of offense! -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
