Text 2018, 123 rader
Skriven 2005-01-17 13:54:42 av Ellen K. (1:379/45)
   Kommentar till text 1999 av Rich (1:379/45)
Ärende: Re: Do we protect users from their own stupidity?
=========================================================
From: Ellen K. <72322.enno.esspeayem.1016@compuserve.com>

Periodically I get phishing emails pretending to be from ebay, and they even
manage to get "ebay" into the headers, but if you look up the IP address of
course you find out it's not... but what percentage of users A) know how to
find the header;
B) know how to read it; or
C) know how to look up an IP address?

On Sun, 16 Jan 2005 15:14:01 -0800, "Rich" <@> wrote in message
<41eaf508@w3.nls.net>:

>   I disagree.
>
>   People do very much know the difference between their own computer and the
other computers referenced in phishing attacks.  They know that email comes
from somewhere outside their computer.  They know the web site to which they
are referred is not their computer.  They still are fooled.
>
>   People know they are choosing to download and install software from the
Internet.  What they may not know is that it is or contains spyware.  There is
no confusion over boundaries.
>
>   I believe your whole idea of trust is off base.  People aren't making
decisions on whether or not to trust particular machines.  I douby very much
most people even think that way.  People place trust in other people or in some
cases who they believe those people are.  Phishing attacks for bank sites
succeed because the people the fall pray to them believe that the people
sending the email are valid representitives of the bank and they trust those
people.
>
>   As for your initial premise, I honestly don't know what it is you believe
is consistent that should not be or is different that should not be.  You can't
be referring to the browser which is almost never used for the local computer
and clearly identifies what is local and what is not.
>
>   Your claim regarding phishing is also wrong.  The address bar is one
possible indicator to users.  Phishing attacks preceeded any of these and
continue without them.  I've seen phishing emails that make no attempt to mask
the domain to which they refer.  People still get fooled.  The address bar
probably means little to many users.  I can tell when speaking with and helping
non-technical users that even though they get that they type into the address
bar to go to a site they do not always get that it is overloaded to provide
feedback to them where they have gone.  The same with the status bar.  Their
have been status bar spoofs.  They make little difference.  Do any of these
make a difference to you so that you would be fooled?
>
>Rich
>
>  "Geo" <georger@nls.net> wrote in message news:41ea4440@w3.nls.net...
>  part of the reason it's so easy to fool people is because of Microsoft.
Remember some years ago when I said to make a consistant interface that blurs
the line between the local machine and remote machines/internet machines was a
mistake? Well that's one of the big reasons why people today are so easy to
fool. They don't understand the concept of trusted/untrusted machines because
it all looks the same to them. They honestly don't know where their machine
ends and the rest of the world begins.
>
>  I understood the logic behind making that a consistent interface and
blurring the line but I saw the problem with it as well. How is a user to know
the difference between a remote website and a help page from one of their own
programs if there is no difference?
>
>  As for not knowing anyone who was infected due to the exploit of a bug,
doesn't phishing work because of a bug that allows IE to show one address in
the address bar while in fact it's talking to another address? What, doesn't
that count?
>
>  Geo.
>    "Rich" <@> wrote in message news:41e9f4ea$1@w3.nls.net...
>       You can't protect them from their own stupidity.  I've seen plenty of
examples of people getting infected with spyware due to their own explicit
actions, either approving when asked if something should be installed or
explicitly downloading and installing something that is or includes spyware.  I
do not know of anyone personally that was infected due to an exploit of a bug.
Phishing is another example that relies almost entirely on people being to
trusting and doing something they shouldn't.  I haven't seen an email virus in
a long time that did not rely on the user following instructions in the email
to act against his own interest and run or even save then open and run
something they shouldn't.  We are well beyond what many folks would consider
security.  To protect against people making these kinds of mistakes you have to
take choices they can't be trusted making away from them.  That upsets the
folks that can be trusted to or want to make these choices unhappy.  This
>isn't far from the idea that putting you in a straightjacket makes you more
secure because you are less likely to hurt yourself.  As for how people react
to this, do you remember the reaction to cars that buzzed or otherwise made
noise when the driver or a passenger did not wear his seat belt?  It wasn't
positive.
>
>    Rich
>      "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in message
news:48qju0547j4l00akdf69j0bip7fgj8bmp5@4ax.com...
>      And that is a very big problem when trying to figure out what security
>      features should be built in or what functionality should be allowed.  Do
>      we protect users from their own stupidity?   I guess there is a
>      rationale for doing so in that if the masses' machines are laxly secured
>      (if at all), the danger to _everyone_ increases.
>
>      On Mon, 10 Jan 2005 15:07:12 -0800, "Rich" <@> wrote in message
>      <41e30a96@w3.nls.net>:
>
>      >   I agree there are a great many people that have no interest in or
familiarity with exercising the control available to them.  That will always be
true.
>      >
>      >Rich
>      >
>      >  "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
message news:7og4u0pj8f0nq10sm8t2covkac7q75oj1s@4ax.com...
>      >  Well, I think this conversation is all over the place regarding who
we
>      >  are talking about when we talk about users.  The folks here are an
>      >  entirely different animal from the famous great unwashed masses.
>      >
>      >  On Sun, 9 Jan 2005 01:40:28 -0800, "Rich" <@> wrote in message
>      >  <41e0fbe8@w3.nls.net>:
>      >
>      >  >   Because you are in control, my point to george.
>      >  >
>      >  >Rich

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)