lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: damian at sentex.net (Damian Gerow)
Subject: [Fwd: Last Critical Update]

Thus spake Richard M. Smith (rms@...puterbytesman.com) [23/09/03 17:40]:
> No user education is required.  Any Windows email reader worth its salt
> should be automatically deleting all incoming attached files which are
> executable programs.  Outlook has been doing this since the fall of
> 2000.  Outlook Express 6 also has this option, but it was off by default
> until recently. :-(

And that action prompts not only user interaction, but administrator
interaction.  Think outside the scope of your happy little Corporation, with
tightly controlled desktops.  Think ... ISP.  The Wild West of Computing.
</daydream>

See, the problem is, as an ISP, we have to provide multiple types of
services -- spam scanning, AV scanning. content filtering, etc.  So we do,
both for our sanity, our customer's sanity, and the sanity of the 'Net as a
whole.

It's become a not-too-uncommon ocurrence for the end user to send us a
message, demanding that we turn off the filtering on their account, because
we're blocking their attachments.  Yes, OE is popping up, saying, 'Hi!  I've
blocked access to an unsafe attachment.  This is for your security.'

It's too late to just *stop* all attachments in their tracks.  End users
have gotten far too used to having what they have, to go backwards.
Especially those who 'upgrade' from Win95 to WinXP, and then claim that they
don't have the same functionality that they used to have.  And the burden of
this often falls on /our/ shoulders; the Providers.

At this point, I would suggest that instead of outright blocking it, a
message comes up that says, 'Hi.  You're about to run something unsafe.  You
shouldn't do this, no exceptions.  If you really want to, you may
permanently damange your computer.  Click OK to heedlessly run this program.'
And when that happens, pop up an exclamation box that says, 'Running unsafe
attachment, possible system damange may occur'.  Something straightforward
and simple, that will scare the pants off of them.  Make them /want/ to not
run attachments, I say!

Problem is, I know that users will just get used to those warnings, and
start to ignore them.  Just like people learn to ignore the oil warning
light on older cars, or the funny sound that their wheel wells make, or the
fact that every time they turn on their computer, they do a checkdisk ('Does
it always do thi?' 'Oh yes, this is normal.').

IMHO, Microsoft has shoved the MUA market into a tight corner, with few
readily visible roads out.  And outright attachment blocking is /not/ one of
them, unfortunately.

</rant -- it's been a long day>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ