Overview

People want things to "work", but different people have different definitions
of the word "work"

Once upon a time there was a simple world wide web with static pages written
in HTML. The only magical ingredient in those pages was the links you could click
to go to other similar documents.This seemed to satisfy the mainly academic
people who conceived of the www as a vast set of linked documents. At first this
accomplishment seemed quite amazing, but soon people wanted more.

Frankly, I don't know if it was users who demanded interactive web content
or if it was web designers, advertisers, and salesmen. Anyone with a little insight
could have known early on that active content would bring a whole new set of
security problems to the net, but "people want things to work"

There are two types of people in the world, optimists, and the rest of us.
Active content was obviously invented by optimists, and the rest of us have
to cope as best we can. Everyone has an optimist in the family, the brother in law
who is starting a business and wants you to mortgage your home to invest in it.

We are all being swept along by a wave of active content, headlong downhill
and faster than we would like, pulled along by the optimists who are sure
"everything will turn out fine", and in the company of users saying
"people want things to work"

The specifics

It's an oversimplification, but interactive web content can roughly be divided
into two types, server side "stuff" and client side "stuff". Wnen you have server
side stuff, interactive content is generated when auxiliary programs on the server
respond to client requests, and generate a new page according to input from the user.

Client side stuff is accomplished by having programs running on the user's computer
that respond to requests from the server. Obviously, the security issues are different.
We might also ask whose interests are being served by these methods. You can turn off
activeX and javascript, but you "want web pages to work" don't you?

The inevitability of progress

Complain about activeX, and someone will testily remind you that "it's progress, It's
already here, deal with it" Besides, "people want things to work" Yeah, I want things to work,
but I'll get there in a minute. When someone brushes your concerns aside and lectures
you about opposing "progress", he is either an optimist, or one of their disciples,
people who advocate neat new stuff, but never have to debug it and never have to deal
with the consequences of premature deployment of unripe technologies that are full
of security holes.

Who wants things to work?

Or, whose interests are being served when "things work"? I think it depends on what
those things are designed for. Whose interests are served when a rootkit works?
Whose interests are served if an OS or a web browser works as a transmission belt for
ads and other unsolicited one way content? Whose interests are served when you
take reasonable measures to secure your browser, only to discover that half of
the sites you want to browse are now non-functional?

Trade off?

It is often repeated, as if it were gospel, that there is a trade off between
security and functionality, and that this is one of the things you just have
to "deal with". Usually people mean this to say, "you gotta reduce your security
in order to experience the web the way it is intended".

This may be true in practice, but not necessarily in theory. In other words,
it is this way because it was designed this way, because someone's interests
are served by keeping you vulnerable.

Get involved in software design. Get involved in web design. Above all,
get involved in internet governance, if only to protect yourself from
the optimists.