| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: AW: 9/11 virus Ralf <ralfml@...ray.com> replied to l8km7gr02@...akemail.com: > Hmmm, a UI poping up stating that the user is going to execute something > and this may have a security impact (such as Eudora 5 does) is still a > good idea. Security through fear? Surely not a positive marketing value. But can you imagine MS ever implementing this without feeling a need to add, just above the "OK -- shove it in hard and deep" button, a little check-box labelled "And do so every time without showing me this damned annoying dialog box first"? > > users must be able to differentiate between executables and documents. > > That requires energy and willingness to learn. So does learning to drive a car and coming to understaind the different consequences of slamming your foot down hard on the accelerator vs. on the brake... Oddly though we expect folks to show they have mastered this minimal learning requirement (and a few others) before we let them take cars onto our roads and freeways, but we do not require simpler "driving skills" before letting the same folk loose on the "information superhighway"... > > To that end, however, user > > interfaces must be clear and explicit when it comes to helping the user > > differentiate the two. > > Wouldn't it be possible to create an OE addon that just does this the > correct way? I seriously doubt it. How many different ways have folk discovered to trick-out Outlook/OE/IE into auto-running attachments, seeing attachments that are "not there", mishandling "malformed" content/server responses/etc, and various other ill-mannered and generally undesirable things?? Do you really think anyone at Microsoft could accurately define the decision tree of Outlook/OE/IE in making all the critical security- relevant mistakes^H^H^H^H^H^H^H^Hdecisions it makes in doing all this? If MS doesn't know this, how do you propose anyone else could model it so such an add-on would get it right? (Where "right" means "in agreement with what OE would decide".) > Isn't "helping" the user "forcing" him actually? I.e. implicitely > admitting s/he can't make the right decision in the first place? Yep, and as plenty of history shows, an awful lot of people need an awful lot of such "help", starting with the "designers" (and I use that term in the loosest possible way here) of most MS products. Regards, Nick FitzGerald
Powered by blists - more mailing lists