lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F634B5B.12352.4214A94@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: AW: 9/11 virus

Ralf <ralfml@...ray.com> replied to l8km7gr02@...akemail.com:

> Hmmm, a UI poping up stating that the user is going to execute something 
> and this may have a security impact (such as Eudora 5 does) is still a 
> good idea. Security through fear? Surely not a positive marketing value.

But can you imagine MS ever implementing this without feeling a need to 
add, just above the "OK -- shove it in hard and deep" button, a little 
check-box labelled "And do so every time without showing me this damned 
annoying dialog box first"?

> > users must be able to differentiate between executables and documents.
> 
> That requires energy and willingness to learn.

So does learning to drive a car and coming to understaind the different 
consequences of slamming your foot down hard on the accelerator vs. on 
the brake...

Oddly though we expect folks to show they have mastered this minimal 
learning requirement (and a few others) before we let them take cars 
onto our roads and freeways, but we do not require simpler "driving 
skills" before letting the same folk loose on the "information 
superhighway"...

>  > To that end, however, user
> > interfaces must be clear and explicit when it comes to helping the user
> > differentiate the two.
> 
> Wouldn't it be possible to create an OE addon that just does this the 
> correct way?

I seriously doubt it.

How many different ways have folk discovered to trick-out Outlook/OE/IE 
into auto-running attachments, seeing attachments that are "not there", 
mishandling "malformed" content/server responses/etc, and various other 
ill-mannered and generally undesirable things??

Do you really think anyone at Microsoft could accurately define the 
decision tree of Outlook/OE/IE in making all the critical security-
relevant mistakes^H^H^H^H^H^H^H^Hdecisions it makes in doing all this?

If MS doesn't know this, how do you propose anyone else could model it 
so such an add-on would get it right?  (Where "right" means "in 
agreement with what OE would decide".)

> Isn't "helping" the user "forcing" him actually? I.e. implicitely 
> admitting s/he can't make the right decision in the first place?

Yep, and as plenty of history shows, an awful lot of people need an 
awful lot of such "help", starting with the "designers" (and I use that 
term in the loosest possible way here) of most MS products.


Regards,

Nick FitzGerald


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ