Text 2019, 144 rader
Skriven 2005-01-17 17:02:30 av Robert Comer (1:379/45)
Kommentar till text 2018 av Ellen K. (1:379/45)
Ärende: Re: Do we protect users from their own stupidity?
=========================================================
From: "Robert Comer" <bobcomer_removeme@mindspring.com>
I just got a very good imitation of an official Paypal email, this one's going
to fool a few... :(
There's actually an easy way to tell it's a phishing attack, at least in OE,
just move the mouse cursor over the link and look down at the bottom status
bar, you see what the link really points to. If the domain doesn't look right
for whatever company, it's phishing.
- Bob Comer
"Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in message
news:ltcou0lhvanrbp6su81dokr26fcrpiftfa@4ax.com...
> Periodically I get phishing emails pretending to be from ebay, and they
> even manage to get "ebay" into the headers, but if you look up the IP
> address of course you find out it's not... but what percentage of users
> A) know how to find the header;
> B) know how to read it; or
> C) know how to look up an IP address?
>
> On Sun, 16 Jan 2005 15:14:01 -0800, "Rich" <@> wrote in message
> <41eaf508@w3.nls.net>:
>
>> I disagree.
>>
>> People do very much know the difference between their own computer and
>> the other computers referenced in phishing attacks. They know that email
>> comes from somewhere outside their computer. They know the web site to
>> which they are referred is not their computer. They still are fooled.
>>
>> People know they are choosing to download and install software from the
>> Internet. What they may not know is that it is or contains spyware.
>> There is no confusion over boundaries.
>>
>> I believe your whole idea of trust is off base. People aren't making
>> decisions on whether or not to trust particular machines. I douby very
>> much most people even think that way. People place trust in other people
>> or in some cases who they believe those people are. Phishing attacks for
>> bank sites succeed because the people the fall pray to them believe that
>> the people sending the email are valid representitives of the bank and
>> they trust those people.
>>
>> As for your initial premise, I honestly don't know what it is you
>> believe is consistent that should not be or is different that should not
>> be. You can't be referring to the browser which is almost never used for
>> the local computer and clearly identifies what is local and what is not.
>>
>> Your claim regarding phishing is also wrong. The address bar is one
>> possible indicator to users. Phishing attacks preceeded any of these and
>> continue without them. I've seen phishing emails that make no attempt to
>> mask the domain to which they refer. People still get fooled. The
>> address bar probably means little to many users. I can tell when
>> speaking with and helping non-technical users that even though they get
>> that they type into the address bar to go to a site they do not always
>> get that it is overloaded to provide feedback to them where they have
>> gone. The same with the status bar. Their have been status bar spoofs.
>> They make little difference. Do any of these make a difference to you so
>> that you would be fooled?
>>
>>Rich
>>
>> "Geo" <georger@nls.net> wrote in message news:41ea4440@w3.nls.net...
>> part of the reason it's so easy to fool people is because of Microsoft.
>> Remember some years ago when I said to make a consistant interface that
>> blurs the line between the local machine and remote machines/internet
>> machines was a mistake? Well that's one of the big reasons why people
>> today are so easy to fool. They don't understand the concept of
>> trusted/untrusted machines because it all looks the same to them. They
>> honestly don't know where their machine ends and the rest of the world
>> begins.
>>
>> I understood the logic behind making that a consistent interface and
>> blurring the line but I saw the problem with it as well. How is a user to
>> know the difference between a remote website and a help page from one of
>> their own programs if there is no difference?
>>
>> As for not knowing anyone who was infected due to the exploit of a bug,
>> doesn't phishing work because of a bug that allows IE to show one address
>> in the address bar while in fact it's talking to another address? What,
>> doesn't that count?
>>
>> Geo.
>> "Rich" <@> wrote in message news:41e9f4ea$1@w3.nls.net...
>> You can't protect them from their own stupidity. I've seen plenty
>> of examples of people getting infected with spyware due to their own
>> explicit actions, either approving when asked if something should be
>> installed or explicitly downloading and installing something that is or
>> includes spyware. I do not know of anyone personally that was infected
>> due to an exploit of a bug. Phishing is another example that relies
>> almost entirely on people being to trusting and doing something they
>> shouldn't. I haven't seen an email virus in a long time that did not
>> rely on the user following instructions in the email to act against his
>> own interest and run or even save then open and run something they
>> shouldn't. We are well beyond what many folks would consider security.
>> To protect against people making these kinds of mistakes you have to take
>> choices they can't be trusted making away from them. That upsets the
>> folks that can be trusted to or want to make these choices unhappy. This
>>isn't far from the idea that putting you in a straightjacket makes you
>>more secure because you are less likely to hurt yourself. As for how
>>people react to this, do you remember the reaction to cars that buzzed or
>>otherwise made noise when the driver or a passenger did not wear his seat
>>belt? It wasn't positive.
>>
>> Rich
>> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>> message news:48qju0547j4l00akdf69j0bip7fgj8bmp5@4ax.com...
>> And that is a very big problem when trying to figure out what
>> security
>> features should be built in or what functionality should be allowed.
>> Do
>> we protect users from their own stupidity? I guess there is a
>> rationale for doing so in that if the masses' machines are laxly
>> secured
>> (if at all), the danger to _everyone_ increases.
>>
>> On Mon, 10 Jan 2005 15:07:12 -0800, "Rich" <@> wrote in message
>> <41e30a96@w3.nls.net>:
>>
>> > I agree there are a great many people that have no interest in
>> or familiarity with exercising the control available to them. That will
>> always be true.
>> >
>> >Rich
>> >
>> > "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>> message news:7og4u0pj8f0nq10sm8t2covkac7q75oj1s@4ax.com...
>> > Well, I think this conversation is all over the place regarding
>> who we
>> > are talking about when we talk about users. The folks here are
>> an
>> > entirely different animal from the famous great unwashed masses.
>> >
>> > On Sun, 9 Jan 2005 01:40:28 -0800, "Rich" <@> wrote in message
>> > <41e0fbe8@w3.nls.net>:
>> >
>> > > Because you are in control, my point to george.
>> > >
>> > >Rich
>
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|