lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: user05 at kyberwelt.de (user05@...erwelt.de)
Subject: Microsoft removes 'user:passwd@...e' support

On Mon, 9 Feb 2004 13:40:17 -0000
"Richard Hatch" <r.hatch@...s.qinetiq.com> wrote:

[ some stuff deleted ]

> I am not a Microsoft fan, but given the huge number of email scams relying
> on this type of URL, something clearly had to be done to help protect users.
> Microsoft could have simply said "It's not our fault, we can't fix this
> without breaking other things".
> 
> I find it curious that this type of response has not been prompted by the
> "Hide known file extensions" feature of Windows.
> People may think "Why is someone I don't know sending me anna.jpg?" before
> they click on the file.
> If the filename was anna.jpg.exe, most users think that something fishy was
> going on.
> 
> As far as I am concerned, the bottom line is that Microsoft's fix will help
> more people than will be affected by it.  If people are so bothered by this,
> use a different browser.
> 
> It does surprise me that some people in the IT security industry complain
> about the lack of security awareness amongst users on one hand, and argue
> about keeping support for methods that have been proven to fool users into
> click strange URL links.
> 
> It seems to me that people are so eager to continue pet arguments (ie
> anti-Microsoft) that any action by Microsoft is immediately scorned.
> 
> Lets stop the flame wars and get back to sharing information so that users
> can be better protected.

Still there are reasons to be concerned. Your point about hidden file extensions
is quiet good. And with a monopolist like microsoft (in fact with any big company)
there are reasons to search for possible intentions for doing this or that.
Not everything is based on pure technical arguments :/
As far as i remember, Microsoft has a "product" called "Passport" and is deplyoing
a framework called dotnet (or something like that :) strange name).
Removing support for some form of athentication might be just the easier way of
coping with this problem, but certainly might also be part of a bigger picture.
That is (sometimes) the way monopolists work towards more market-saturation.
Or is this to paranoid !?? ;}

my .02 cent

user#05


Powered by blists - more mailing lists