Full Disclosure mailing list archives
AW: AW: 9/11 virus
From: vogt () hansenet com
Date: Fri, 12 Sep 2003 10:14:19 +0200
On this point, you and I agree -- a user should never receive indication from the UI that an executable is a picture, and then surprise the user by executing something which wasn't really a picture after all. Implementing a UI which uses an arbitrary file naming convention to indicate the executability of a file, /and then going ahead and hiding the file extension by default/, is unbelievably braindead. It's like they *tried* to blur the line between program and content. Hmm.
Actually, CONSISTENCY would solve the problem. There should be ONE decision as to what the file is, and then you stick by it. If - for whatever reason - you think it's an image, then display it. The problem only arises because the system changes its mind halfway through.
As to your suggestion that the implicit behaviour of a doubleclick is a problem, I think you're a bit off the mark. Users know that a doubleclick will 'Open' whatever they click on, there's no ambiguity there. The confusion only occurs when the user doesn't exactly know what it is they're doubleclicking on.
Yes, true. I insist, though, that users have been misled. The whole notion of "open" is marketing bullshit. You don't "open" a picture, you view it. You don't "open" a letter, you write (or read) it. You don't "open" music, you listen to it. It's all a problem of representation. Users don't need to know technical details like executable or document. They need to know exactly what it is that they require. "1-page letter" or "150 page e-book" is much more important than "word document" or "pdf file".
I think we agree on the main points, but have slightly differing senses of what a user 'needs to know'. In order to function responsibly in this e-mail enabled world of ours, users must be able to differentiate between executables and documents. Period.
Absolutely. As I said: The damn system should make up its mind and stick to it. People get "tricked" into running viruses? Nope, they don't. They do with e-mail like they do in real life. When you buy a bottle of water, do you take it to the chem lab to check whether it's really H2O before you drink? 'course not. But that's what "the security industry" is asking people to do with mail. The problem is that Windows puts the label "Water" unto bottles that aren't water. It's not the user who is tricked, its the stupid OS. Tom _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- AW: AW: 9/11 virus vogt (Sep 12)