Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Yahoo! Corrupts

Yahoo! has recently taken to modifying its' users' emails in an attempt to protect against malicious scripts. Words that are commands in some programming languages get replaced by other words with a similar meaning, but no programming function. Thus, mocha is replaced by espresso, eval by review and expression by statement. I would have thought that anyone who uses the word mocha cares that it is different from espresso - other people would just say coffee. The change is also made if the blacklisted word is part of a longer word, so evaluate might become reviewuate.

A search for reviewuate on Google found 170 web pages, and, in the first thirty of those, two were links discussing Yahoo's actions. The rest were webpages discussing topics including stock markets, junior fiction, peace education, and Chinese language degree courses. Congratulations, Yahoo, you have created a new word!

Yahoo! spokesperson Mary Osako said, "To ensure the highest level of security for our users, Yahoo! employs automated software to protect our users from potential cross-scripting violations," Ms Osako is forgetting there are three aspects of security: Confidentiality, Integrity and Availability. By modifying emails without authorisation, Yahoo! is destroying their integrity. They are also making some people who sent their latest web page updates via Yahoo! look rather foolish.

So how can we protect against scripts in email, without mangling the writer's meaning? The simplest method is very effective: do not use an email client that executes scripts, i.e., use something other than Microsoft Outlook. I have met no one who claims they need such a flawed email client. An up-to-date anti-virus scanner will find most other nasties in email. When something is found, the email should be blocked, not modified, and appropriate people notified.

Searching for particular words can be useful, to block obscenities, for example, but it is a very crude method to employ for looking for executable code. It should also be applied with thought - I have heard one report of a major drug company blocking the word "sex". One might expect legitimate emails in a drug company would contain that word, for example, in discussions of clinical trials, or if they have products specific to one or other sex. Also, all their employees in the English county of Essex could not send or receive email until the block was lifted.


More Information