Text 2030, 206 rader
Skriven 2005-01-17 21:00:40 av Robert Comer (1:379/45)
Kommentar till text 2024 av Geo (1:379/45)
Ärende: Re: Do we protect users from their own stupidity?
=========================================================
From: "Robert Comer" <bobcomer@mindspring.com>
Bummer. :(
This is really bad, eventually a most everyone is going to get one of these
from a company they do deal and trust, and zap, infected.
- Bob Comer
"Geo" <georger@nls.net> wrote in message news:41ec4e7a$2@w3.nls.net...
> there is a way to spoof the bottom display too, I think there is an
> example
> on www.malware.com site.
>
> Geo.
>
> "Robert Comer" <bobcomer_removeme@mindspring.com> wrote in message
> news:41ec35d6@w3.nls.net...
>> I just got a very good imitation of an official Paypal email, this one's
>> going to fool a few... :(
>>
>> There's actually an easy way to tell it's a phishing attack, at least in
> OE,
>> just move the mouse cursor over the link and look down at the bottom
> status
>> bar, you see what the link really points to. If the domain doesn't look
>> right for whatever company, it's phishing.
>>
>> - Bob Comer
>>
>>
>> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in message
>> news:ltcou0lhvanrbp6su81dokr26fcrpiftfa@4ax.com...
>> > Periodically I get phishing emails pretending to be from ebay, and they
>> > even manage to get "ebay" into the headers, but if you look up the IP
>> > address of course you find out it's not... but what percentage of users
>> > A) know how to find the header;
>> > B) know how to read it; or
>> > C) know how to look up an IP address?
>> >
>> > On Sun, 16 Jan 2005 15:14:01 -0800, "Rich" <@> wrote in message
>> > <41eaf508@w3.nls.net>:
>> >
>> >> I disagree.
>> >>
>> >> People do very much know the difference between their own computer
> and
>> >> the other computers referenced in phishing attacks. They know that
> email
>> >> comes from somewhere outside their computer. They know the web site
>> >> to
>> >> which they are referred is not their computer. They still are fooled.
>> >>
>> >> People know they are choosing to download and install software from
> the
>> >> Internet. What they may not know is that it is or contains spyware.
>> >> There is no confusion over boundaries.
>> >>
>> >> I believe your whole idea of trust is off base. People aren't
>> >> making
>> >> decisions on whether or not to trust particular machines. I douby
>> >> very
>> >> much most people even think that way. People place trust in other
> people
>> >> or in some cases who they believe those people are. Phishing attacks
> for
>> >> bank sites succeed because the people the fall pray to them believe
> that
>> >> the people sending the email are valid representitives of the bank and
>> >> they trust those people.
>> >>
>> >> As for your initial premise, I honestly don't know what it is you
>> >> believe is consistent that should not be or is different that should
> not
>> >> be. You can't be referring to the browser which is almost never used
> for
>> >> the local computer and clearly identifies what is local and what is
> not.
>> >>
>> >> Your claim regarding phishing is also wrong. The address bar is one
>> >> possible indicator to users. Phishing attacks preceeded any of these
> and
>> >> continue without them. I've seen phishing emails that make no attempt
> to
>> >> mask the domain to which they refer. People still get fooled. The
>> >> address bar probably means little to many users. I can tell when
>> >> speaking with and helping non-technical users that even though they
>> >> get
>> >> that they type into the address bar to go to a site they do not always
>> >> get that it is overloaded to provide feedback to them where they have
>> >> gone. The same with the status bar. Their have been status bar
> spoofs.
>> >> They make little difference. Do any of these make a difference to you
> so
>> >> that you would be fooled?
>> >>
>> >>Rich
>> >>
>> >> "Geo" <georger@nls.net> wrote in message news:41ea4440@w3.nls.net...
>> >> part of the reason it's so easy to fool people is because of
> Microsoft.
>> >> Remember some years ago when I said to make a consistant interface
>> >> that
>> >> blurs the line between the local machine and remote machines/internet
>> >> machines was a mistake? Well that's one of the big reasons why people
>> >> today are so easy to fool. They don't understand the concept of
>> >> trusted/untrusted machines because it all looks the same to them. They
>> >> honestly don't know where their machine ends and the rest of the world
>> >> begins.
>> >>
>> >> I understood the logic behind making that a consistent interface and
>> >> blurring the line but I saw the problem with it as well. How is a user
> to
>> >> know the difference between a remote website and a help page from one
> of
>> >> their own programs if there is no difference?
>> >>
>> >> As for not knowing anyone who was infected due to the exploit of a
> bug,
>> >> doesn't phishing work because of a bug that allows IE to show one
> address
>> >> in the address bar while in fact it's talking to another address?
>> >> What,
>> >> doesn't that count?
>> >>
>> >> Geo.
>> >> "Rich" <@> wrote in message news:41e9f4ea$1@w3.nls.net...
>> >> You can't protect them from their own stupidity. I've seen
> plenty
>> >> of examples of people getting infected with spyware due to their own
>> >> explicit actions, either approving when asked if something should be
>> >> installed or explicitly downloading and installing something that is
>> >> or
>> >> includes spyware. I do not know of anyone personally that was
>> >> infected
>> >> due to an exploit of a bug. Phishing is another example that relies
>> >> almost entirely on people being to trusting and doing something they
>> >> shouldn't. I haven't seen an email virus in a long time that did not
>> >> rely on the user following instructions in the email to act against
>> >> his
>> >> own interest and run or even save then open and run something they
>> >> shouldn't. We are well beyond what many folks would consider
>> >> security.
>> >> To protect against people making these kinds of mistakes you have to
> take
>> >> choices they can't be trusted making away from them. That upsets the
>> >> folks that can be trusted to or want to make these choices unhappy.
> This
>> >>isn't far from the idea that putting you in a straightjacket makes you
>> >>more secure because you are less likely to hurt yourself. As for how
>> >>people react to this, do you remember the reaction to cars that buzzed
> or
>> >>otherwise made noise when the driver or a passenger did not wear his
> seat
>> >>belt? It wasn't positive.
>> >>
>> >> Rich
>> >> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>> >> message news:48qju0547j4l00akdf69j0bip7fgj8bmp5@4ax.com...
>> >> And that is a very big problem when trying to figure out what
>> >> security
>> >> features should be built in or what functionality should be
> allowed.
>> >> Do
>> >> we protect users from their own stupidity? I guess there is a
>> >> rationale for doing so in that if the masses' machines are laxly
>> >> secured
>> >> (if at all), the danger to _everyone_ increases.
>> >>
>> >> On Mon, 10 Jan 2005 15:07:12 -0800, "Rich" <@> wrote in message
>> >> <41e30a96@w3.nls.net>:
>> >>
>> >> > I agree there are a great many people that have no interest
>> >> in
>> >> or familiarity with exercising the control available to them. That
> will
>> >> always be true.
>> >> >
>> >> >Rich
>> >> >
>> >> > "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>> >> message news:7og4u0pj8f0nq10sm8t2covkac7q75oj1s@4ax.com...
>> >> > Well, I think this conversation is all over the place
>> >> regarding
>> >> who we
>> >> > are talking about when we talk about users. The folks here
>> >> are
>> >> an
>> >> > entirely different animal from the famous great unwashed
> masses.
>> >> >
>> >> > On Sun, 9 Jan 2005 01:40:28 -0800, "Rich" <@> wrote in message
>> >> > <41e0fbe8@w3.nls.net>:
>> >> >
>> >> > > Because you are in control, my point to george.
>> >> > >
>> >> > >Rich
>> >
>>
>>
>
>
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|