Full Disclosure mailing list archives
Re: AW: 9/11 virus
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 13 Sep 2003 16:52:43 +1200
Ralf <ralfml () alfray com> replied to l8km7gr02 () sneakemail com:
Hmmm, a UI poping up stating that the user is going to execute something and this may have a security impact (such as Eudora 5 does) is still a good idea. Security through fear? Surely not a positive marketing value.
But can you imagine MS ever implementing this without feeling a need to add, just above the "OK -- shove it in hard and deep" button, a little check-box labelled "And do so every time without showing me this damned annoying dialog box first"?
users must be able to differentiate between executables and documents.That requires energy and willingness to learn.
So does learning to drive a car and coming to understaind the different consequences of slamming your foot down hard on the accelerator vs. on the brake... Oddly though we expect folks to show they have mastered this minimal learning requirement (and a few others) before we let them take cars onto our roads and freeways, but we do not require simpler "driving skills" before letting the same folk loose on the "information superhighway"...
> To that end, however, userinterfaces must be clear and explicit when it comes to helping the user differentiate the two.Wouldn't it be possible to create an OE addon that just does this the correct way?
I seriously doubt it. How many different ways have folk discovered to trick-out Outlook/OE/IE into auto-running attachments, seeing attachments that are "not there", mishandling "malformed" content/server responses/etc, and various other ill-mannered and generally undesirable things?? Do you really think anyone at Microsoft could accurately define the decision tree of Outlook/OE/IE in making all the critical security- relevant mistakes^H^H^H^H^H^H^H^Hdecisions it makes in doing all this? If MS doesn't know this, how do you propose anyone else could model it so such an add-on would get it right? (Where "right" means "in agreement with what OE would decide".)
Isn't "helping" the user "forcing" him actually? I.e. implicitely admitting s/he can't make the right decision in the first place?
Yep, and as plenty of history shows, an awful lot of people need an awful lot of such "help", starting with the "designers" (and I use that term in the loosest possible way here) of most MS products. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- AW: 9/11 virus vogt (Sep 11)
- Re: AW: 9/11 virus l8km7gr02 (Sep 11)
- Re: AW: 9/11 virus Exibar (Sep 11)
- Re: AW: 9/11 virus Ralf (Sep 11)
- Re: AW: 9/11 virus Nick FitzGerald (Sep 12)
- <Possible follow-ups>
- Re: AW: 9/11 virus Paul Szabo (Sep 11)
- Re: AW: 9/11 virus l8km7gr02 (Sep 11)