lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Origin of the term "driveby download"

In a private email, someone pointed out that a user can also check the
box "Always trust this Web site".  This option can be a source of the
problems that some people are seeing with Xupiter.  Especially when the
12-year old in the family makes this security choice for the rest of the
family.  The option is very tempting to select for someone who is tired
of seeing all those pesky security warnings.  

Richard

-----Original Message-----
From: Thor Larholm [mailto:lists.netsys.com@...ript.dk] 
Sent: Friday, January 31, 2003 10:30 AM
To: Richard M. Smith; full-disclosure@...ts.netsys.com
Cc: 'Brian McWilliams'
Subject: Re: [Full-Disclosure] Origin of the term "driveby download"


From: "Richard M. Smith" <rms@...puterbytesman.com>
> Yes, there is ActiveX warning message for a driveby download, but I
> think it is classic "blaming the victim" to call users who click the
yes
> button as "stupid".

The term "driveby download" heavily implies an automated install
process,
but we all know that there is no such automation here - the user has to
explicitly consent.

Because of this FUD term, articles such as
http://wired.com/news/infostructure/0,1377,57467,00.html has sentences
like
this:

"And the toolbar will install itself automatically when Internet
Explorer's
security settings aren't set to the highest level."

As we all know (if you didn't know, then now you do), signed ActiveX
components require explicit user consent before installing - on anything
except the very MINIMUM security settings. The default settings, heck
even
lowered settings above the minimum (there are 4 default levels of
settings),
will ask for explicit consent.

As such, could we please avoid using that term? It is confusing at best
and
havocing for (otherwise fruitfull) debates at worst.

Navigating your browser to an arbitrary website can bring up an
"Open/Save
file" dialog for an EXE file, but just because a large percentage of
clueless users click the Open button does not mean that we label the
process
as a "driveby download", or any such FUD term. Lack of clue in the
victim
does not impose a lack of security in the product.

And on the topic, both the "No" button (for signed ActiveX) and the
"Save"
button (for file dialogs) are the default active buttons - in case you
just
press Enter/Space.

> If an ActiveX control auto-installs without a security warning, then
> most likely security settings must be messed up.

If an ActiveX control auto-installs without a security warning, then you
have set your security settings to the lowest possible.


Regards
Thor

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ