lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: vogt at hansenet.com (vogt@...senet.com)
Subject: AW: AW: 9/11 virus

> On this point, you and I agree -- a user should never receive
> indication from the UI that an executable is a picture, and then
> surprise the user by executing something which wasn't really a picture
> after all.  Implementing a UI which uses an arbitrary file naming
> convention to indicate the executability of a file, /and then going
> ahead and hiding the file extension by default/, is unbelievably
> braindead.  It's like they *tried* to blur the line between 
> program and
> content.  Hmm.

Actually, CONSISTENCY would solve the problem. There should be ONE
decision as to what the file is, and then you stick by it. If - for
whatever reason - you think it's an image, then display it. The
problem only arises because the system changes its mind halfway
through.


> As to your suggestion that the implicit behaviour of a 
> doubleclick is a
> problem, I think you're a bit off the mark.  Users know that a
> doubleclick will 'Open' whatever they click on, there's no ambiguity
> there.  The confusion only occurs when the user doesn't exactly know
> what it is they're doubleclicking on.

Yes, true. I insist, though, that users have been misled. The whole
notion of "open" is marketing bullshit. You don't "open" a picture, you
view it. You don't "open" a letter, you write (or read) it. You don't
"open" music, you listen to it.

It's all a problem of representation. Users don't need to know technical
details like executable or document. They need to know exactly what it is
that they require. "1-page letter" or "150 page e-book" is much more
important than "word document" or "pdf file".


> I think we agree on the main points, but have slightly 
> differing senses
> of what a user 'needs to know'.  In order to function responsibly in
> this e-mail enabled world of ours, users must be able to differentiate
> between executables and documents.  Period.  

Absolutely. As I said: The damn system should make up its mind and stick
to it.
People get "tricked" into running viruses? Nope, they don't. They do
with e-mail like they do in real life. When you buy a bottle of water, do
you take it to the chem lab to check whether it's really H2O before you
drink? 'course not. But that's what "the security industry" is asking
people to do with mail.

The problem is that Windows puts the label "Water" unto bottles that aren't
water. It's not the user who is tricked, its the stupid OS.


Tom

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ