Full Disclosure mailing list archives
RE: Origin of the term "driveby download"
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 31 Jan 2003 11:36:28 -0500
In a private email, someone pointed out that a user can also check the box "Always trust this Web site". This option can be a source of the problems that some people are seeing with Xupiter. Especially when the 12-year old in the family makes this security choice for the rest of the family. The option is very tempting to select for someone who is tired of seeing all those pesky security warnings. Richard -----Original Message----- From: Thor Larholm [mailto:lists.netsys.com () jscript dk] Sent: Friday, January 31, 2003 10:30 AM To: Richard M. Smith; full-disclosure () lists netsys com Cc: 'Brian McWilliams' Subject: Re: [Full-disclosure] Origin of the term "driveby download" From: "Richard M. Smith" <rms () computerbytesman com>
Yes, there is ActiveX warning message for a driveby download, but I think it is classic "blaming the victim" to call users who click the
yes
button as "stupid".
The term "driveby download" heavily implies an automated install process, but we all know that there is no such automation here - the user has to explicitly consent. Because of this FUD term, articles such as http://wired.com/news/infostructure/0,1377,57467,00.html has sentences like this: "And the toolbar will install itself automatically when Internet Explorer's security settings aren't set to the highest level." As we all know (if you didn't know, then now you do), signed ActiveX components require explicit user consent before installing - on anything except the very MINIMUM security settings. The default settings, heck even lowered settings above the minimum (there are 4 default levels of settings), will ask for explicit consent. As such, could we please avoid using that term? It is confusing at best and havocing for (otherwise fruitfull) debates at worst. Navigating your browser to an arbitrary website can bring up an "Open/Save file" dialog for an EXE file, but just because a large percentage of clueless users click the Open button does not mean that we label the process as a "driveby download", or any such FUD term. Lack of clue in the victim does not impose a lack of security in the product. And on the topic, both the "No" button (for signed ActiveX) and the "Save" button (for file dialogs) are the default active buttons - in case you just press Enter/Space.
If an ActiveX control auto-installs without a security warning, then most likely security settings must be messed up.
If an ActiveX control auto-installs without a security warning, then you have set your security settings to the lowest possible. Regards Thor _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Question about the new Xupiter toolbar Richard M. Smith (Jan 30)
- Re: Question about the new Xupiter toolbar Brian McWilliams (Jan 30)
- Re: Question about the new Xupiter toolbar Thor Larholm (Jan 31)
- Origin of the term "driveby download" Richard M. Smith (Jan 31)
- Re: Origin of the term "driveby download" Brian McWilliams (Jan 31)
- RE: Re: Origin of the term "driveby download" Geo (Jan 31)
- RE: Re: Origin of the term "driveby download" Brian McWilliams (Jan 31)
- RE: Origin of the term "driveby download" Richard M. Smith (Jan 31)
- Origin of the term "driveby download" Richard M. Smith (Jan 31)
- Re: Origin of the term "driveby download" Thor Larholm (Jan 31)
- Re: Origin of the term "driveby download" madsaxon (Jan 31)
- RE: Origin of the term "driveby download" Richard M. Smith (Jan 31)
- RE: Question about the new Xupiter toolbar Richard M. Smith (Jan 31)
- <Possible follow-ups>
- Re: Question about the new Xupiter toolbar xss-is-lame (Jan 30)