Bugtraq mailing list archives
Re: SECURITY.NNOV: Outlook Express address book spoofing
From: Kee Hinckley <nazgul () somewhere com>
Date: Thu, 7 Jun 2001 13:49:06 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 5:26 PM -0700 6/6/01, Dan Kaminsky wrote:
> e.g. "myfriend () good example org <attacker () evil example net>" the wayother packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.Good example of how user interface theory can be critical to resolving security concerns.
I would say rather, that this was a classic example of how an attempt to provide a good user interface resulted in worse security. It's right up there with IE's penchant for ignoring file types and looking at the content, or automatically translating backslashes into slashes in a URL. Yes, the interface has been improved, but in the long run it has made far more trouble for end users, developers, and corporate security than it was worth. True, you cannot examine security without taking into account the user. But doing UI work without regard for security is far more dangerous. In any case, the solution here is not necessary to not hide email addresses--although lots of email programs seem to manage just fine without that feature--it's not to automatically add aliases. Or at the very least, to not hide aliases that were automatically added. The main advantage of adding aliases automatically is that you have to do less typing when you send to one of them, that can be kept, while treating automatically added aliases different than manually added aliases. Hmmm. Different levels of security depending on where the data came from. That sounds like something that fits the Microsoft model perfectly. - -- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOx++3SZsPfdw+r2CEQIlpgCg+DaifwiytP9Yia52csmEH/eubssAoNA9 o2+Nq3wj4uLTT+mI3HweqyKV =jw6g -----END PGP SIGNATURE-----
Current thread:
- SECURITY.NNOV: Outlook Express address book spoofing 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 07)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Kee Hinckley (Jun 08)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Outlook Express address book spoofing Otto . Dandenell (Jun 08)
- RE: SECURITY.NNOV: Outlook Express address book spoofing David F. Skoll (Jun 10)
- RE: SECURITY.NNOV: Outlook Express address book spoofing Matt Priestley (Jun 12)