Text 2024, 181 rader
Skriven 2005-01-17 18:43:16 av Geo (1:379/45)
   Kommentar till text 2019 av Robert Comer (1:379/45)
Ärende: Re: Do we protect users from their own stupidity?
=========================================================
From: "Geo" <georger@nls.net>

there is a way to spoof the bottom display too, I think there is an example on
www.malware.com site.

Geo.

"Robert Comer" <bobcomer_removeme@mindspring.com> wrote in message
news:41ec35d6@w3.nls.net...
> I just got a very good imitation of an official Paypal email, this one's
> going to fool a few... :(
>
> There's actually an easy way to tell it's a phishing attack, at least in
OE,
> just move the mouse cursor over the link and look down at the bottom
status
> bar, you see what the link really points to.  If the domain doesn't look
> right for whatever company, it's phishing.
>
> - Bob Comer
>
>
> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in message
> news:ltcou0lhvanrbp6su81dokr26fcrpiftfa@4ax.com...
> > Periodically I get phishing emails pretending to be from ebay, and they
> > even manage to get "ebay" into the headers, but if you look up the IP
> > address of course you find out it's not... but what percentage of users
> > A) know how to find the header;
> > B) know how to read it; or
> > C) know how to look up an IP address?
> >
> > On Sun, 16 Jan 2005 15:14:01 -0800, "Rich" <@> wrote in message
> > <41eaf508@w3.nls.net>:
> >
> >>   I disagree.
> >>
> >>   People do very much know the difference between their own computer
and
> >> the other computers referenced in phishing attacks.  They know that
email
> >> comes from somewhere outside their computer.  They know the web site to
> >> which they are referred is not their computer.  They still are fooled.
> >>
> >>   People know they are choosing to download and install software from
the
> >> Internet.  What they may not know is that it is or contains spyware.
> >> There is no confusion over boundaries.
> >>
> >>   I believe your whole idea of trust is off base.  People aren't making
> >> decisions on whether or not to trust particular machines.  I douby very
> >> much most people even think that way.  People place trust in other
people
> >> or in some cases who they believe those people are.  Phishing attacks
for
> >> bank sites succeed because the people the fall pray to them believe
that
> >> the people sending the email are valid representitives of the bank and
> >> they trust those people.
> >>
> >>   As for your initial premise, I honestly don't know what it is you
> >> believe is consistent that should not be or is different that should
not
> >> be.  You can't be referring to the browser which is almost never used
for
> >> the local computer and clearly identifies what is local and what is
not.
> >>
> >>   Your claim regarding phishing is also wrong.  The address bar is one
> >> possible indicator to users.  Phishing attacks preceeded any of these
and
> >> continue without them.  I've seen phishing emails that make no attempt
to
> >> mask the domain to which they refer.  People still get fooled.  The
> >> address bar probably means little to many users.  I can tell when
> >> speaking with and helping non-technical users that even though they get
> >> that they type into the address bar to go to a site they do not always
> >> get that it is overloaded to provide feedback to them where they have
> >> gone.  The same with the status bar.  Their have been status bar
spoofs.
> >> They make little difference.  Do any of these make a difference to you
so
> >> that you would be fooled?
> >>
> >>Rich
> >>
> >>  "Geo" <georger@nls.net> wrote in message news:41ea4440@w3.nls.net...
> >>  part of the reason it's so easy to fool people is because of
Microsoft.
> >> Remember some years ago when I said to make a consistant interface that
> >> blurs the line between the local machine and remote machines/internet
> >> machines was a mistake? Well that's one of the big reasons why people
> >> today are so easy to fool. They don't understand the concept of
> >> trusted/untrusted machines because it all looks the same to them. They
> >> honestly don't know where their machine ends and the rest of the world
> >> begins.
> >>
> >>  I understood the logic behind making that a consistent interface and
> >> blurring the line but I saw the problem with it as well. How is a user
to
> >> know the difference between a remote website and a help page from one
of
> >> their own programs if there is no difference?
> >>
> >>  As for not knowing anyone who was infected due to the exploit of a
bug,
> >> doesn't phishing work because of a bug that allows IE to show one
address
> >> in the address bar while in fact it's talking to another address? What,
> >> doesn't that count?
> >>
> >>  Geo.
> >>    "Rich" <@> wrote in message news:41e9f4ea$1@w3.nls.net...
> >>       You can't protect them from their own stupidity.  I've seen
plenty
> >> of examples of people getting infected with spyware due to their own
> >> explicit actions, either approving when asked if something should be
> >> installed or explicitly downloading and installing something that is or
> >> includes spyware.  I do not know of anyone personally that was infected
> >> due to an exploit of a bug.  Phishing is another example that relies
> >> almost entirely on people being to trusting and doing something they
> >> shouldn't.  I haven't seen an email virus in a long time that did not
> >> rely on the user following instructions in the email to act against his
> >> own interest and run or even save then open and run something they
> >> shouldn't.  We are well beyond what many folks would consider security.
> >> To protect against people making these kinds of mistakes you have to
take
> >> choices they can't be trusted making away from them.  That upsets the
> >> folks that can be trusted to or want to make these choices unhappy.
This
> >>isn't far from the idea that putting you in a straightjacket makes you
> >>more secure because you are less likely to hurt yourself.  As for how
> >>people react to this, do you remember the reaction to cars that buzzed
or
> >>otherwise made noise when the driver or a passenger did not wear his
seat
> >>belt?  It wasn't positive.
> >>
> >>    Rich
> >>      "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
> >> message news:48qju0547j4l00akdf69j0bip7fgj8bmp5@4ax.com...
> >>      And that is a very big problem when trying to figure out what
> >> security
> >>      features should be built in or what functionality should be
allowed.
> >> Do
> >>      we protect users from their own stupidity?   I guess there is a
> >>      rationale for doing so in that if the masses' machines are laxly
> >> secured
> >>      (if at all), the danger to _everyone_ increases.
> >>
> >>      On Mon, 10 Jan 2005 15:07:12 -0800, "Rich" <@> wrote in message
> >>      <41e30a96@w3.nls.net>:
> >>
> >>      >   I agree there are a great many people that have no interest in
> >> or familiarity with exercising the control available to them.  That
will
> >> always be true.
> >>      >
> >>      >Rich
> >>      >
> >>      >  "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
> >> message news:7og4u0pj8f0nq10sm8t2covkac7q75oj1s@4ax.com...
> >>      >  Well, I think this conversation is all over the place regarding
> >> who we
> >>      >  are talking about when we talk about users.  The folks here are
> >> an
> >>      >  entirely different animal from the famous great unwashed
masses.
> >>      >
> >>      >  On Sun, 9 Jan 2005 01:40:28 -0800, "Rich" <@> wrote in message
> >>      >  <41e0fbe8@w3.nls.net>:
> >>      >
> >>      >  >   Because you are in control, my point to george.
> >>      >  >
> >>      >  >Rich
> >
>
>

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)