Text 2041, 151 rader
Skriven 2005-01-17 22:44:14 av Ellen K. (1:379/45)
Kommentar till text 2019 av Robert Comer (1:379/45)
Ärende: Re: Do we protect users from their own stupidity?
=========================================================
From: Ellen K. <72322.enno.esspeayem.1016@compuserve.com>
Please, I'm still using WinCIM 2.6, forces everything to plain text.
On Mon, 17 Jan 2005 17:02:31 -0500, "Robert Comer"
<bobcomer_removeme@mindspring.com> wrote in message
<41ec35d6@w3.nls.net>:
>I just got a very good imitation of an official Paypal email, this one's
>going to fool a few... :(
>
>There's actually an easy way to tell it's a phishing attack, at least in OE,
>just move the mouse cursor over the link and look down at the bottom status
>bar, you see what the link really points to. If the domain doesn't look
>right for whatever company, it's phishing.
>
>- Bob Comer
>
>
>"Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in message
>news:ltcou0lhvanrbp6su81dokr26fcrpiftfa@4ax.com...
>> Periodically I get phishing emails pretending to be from ebay, and they
>> even manage to get "ebay" into the headers, but if you look up the IP
>> address of course you find out it's not... but what percentage of users
>> A) know how to find the header;
>> B) know how to read it; or
>> C) know how to look up an IP address?
>>
>> On Sun, 16 Jan 2005 15:14:01 -0800, "Rich" <@> wrote in message
>> <41eaf508@w3.nls.net>:
>>
>>> I disagree.
>>>
>>> People do very much know the difference between their own computer and
>>> the other computers referenced in phishing attacks. They know that email
>>> comes from somewhere outside their computer. They know the web site to
>>> which they are referred is not their computer. They still are fooled.
>>>
>>> People know they are choosing to download and install software from the
>>> Internet. What they may not know is that it is or contains spyware.
>>> There is no confusion over boundaries.
>>>
>>> I believe your whole idea of trust is off base. People aren't making
>>> decisions on whether or not to trust particular machines. I douby very
>>> much most people even think that way. People place trust in other people
>>> or in some cases who they believe those people are. Phishing attacks for
>>> bank sites succeed because the people the fall pray to them believe that
>>> the people sending the email are valid representitives of the bank and
>>> they trust those people.
>>>
>>> As for your initial premise, I honestly don't know what it is you
>>> believe is consistent that should not be or is different that should not
>>> be. You can't be referring to the browser which is almost never used for
>>> the local computer and clearly identifies what is local and what is not.
>>>
>>> Your claim regarding phishing is also wrong. The address bar is one
>>> possible indicator to users. Phishing attacks preceeded any of these and
>>> continue without them. I've seen phishing emails that make no attempt to
>>> mask the domain to which they refer. People still get fooled. The
>>> address bar probably means little to many users. I can tell when
>>> speaking with and helping non-technical users that even though they get
>>> that they type into the address bar to go to a site they do not always
>>> get that it is overloaded to provide feedback to them where they have
>>> gone. The same with the status bar. Their have been status bar spoofs.
>>> They make little difference. Do any of these make a difference to you so
>>> that you would be fooled?
>>>
>>>Rich
>>>
>>> "Geo" <georger@nls.net> wrote in message news:41ea4440@w3.nls.net...
>>> part of the reason it's so easy to fool people is because of Microsoft.
>>> Remember some years ago when I said to make a consistant interface that
>>> blurs the line between the local machine and remote machines/internet
>>> machines was a mistake? Well that's one of the big reasons why people
>>> today are so easy to fool. They don't understand the concept of
>>> trusted/untrusted machines because it all looks the same to them. They
>>> honestly don't know where their machine ends and the rest of the world
>>> begins.
>>>
>>> I understood the logic behind making that a consistent interface and
>>> blurring the line but I saw the problem with it as well. How is a user to
>>> know the difference between a remote website and a help page from one of
>>> their own programs if there is no difference?
>>>
>>> As for not knowing anyone who was infected due to the exploit of a bug,
>>> doesn't phishing work because of a bug that allows IE to show one address
>>> in the address bar while in fact it's talking to another address? What,
>>> doesn't that count?
>>>
>>> Geo.
>>> "Rich" <@> wrote in message news:41e9f4ea$1@w3.nls.net...
>>> You can't protect them from their own stupidity. I've seen plenty
>>> of examples of people getting infected with spyware due to their own
>>> explicit actions, either approving when asked if something should be
>>> installed or explicitly downloading and installing something that is or
>>> includes spyware. I do not know of anyone personally that was infected
>>> due to an exploit of a bug. Phishing is another example that relies
>>> almost entirely on people being to trusting and doing something they
>>> shouldn't. I haven't seen an email virus in a long time that did not
>>> rely on the user following instructions in the email to act against his
>>> own interest and run or even save then open and run something they
>>> shouldn't. We are well beyond what many folks would consider security.
>>> To protect against people making these kinds of mistakes you have to take
>>> choices they can't be trusted making away from them. That upsets the
>>> folks that can be trusted to or want to make these choices unhappy. This
>>>isn't far from the idea that putting you in a straightjacket makes you
>>>more secure because you are less likely to hurt yourself. As for how
>>>people react to this, do you remember the reaction to cars that buzzed or
>>>otherwise made noise when the driver or a passenger did not wear his seat
>>>belt? It wasn't positive.
>>>
>>> Rich
>>> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>>> message news:48qju0547j4l00akdf69j0bip7fgj8bmp5@4ax.com...
>>> And that is a very big problem when trying to figure out what
>>> security
>>> features should be built in or what functionality should be allowed.
>>> Do
>>> we protect users from their own stupidity? I guess there is a
>>> rationale for doing so in that if the masses' machines are laxly
>>> secured
>>> (if at all), the danger to _everyone_ increases.
>>>
>>> On Mon, 10 Jan 2005 15:07:12 -0800, "Rich" <@> wrote in message
>>> <41e30a96@w3.nls.net>:
>>>
>>> > I agree there are a great many people that have no interest in
>>> or familiarity with exercising the control available to them. That will
>>> always be true.
>>> >
>>> >Rich
>>> >
>>> > "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>>> message news:7og4u0pj8f0nq10sm8t2covkac7q75oj1s@4ax.com...
>>> > Well, I think this conversation is all over the place regarding
>>> who we
>>> > are talking about when we talk about users. The folks here are
>>> an
>>> > entirely different animal from the famous great unwashed masses.
>>> >
>>> > On Sun, 9 Jan 2005 01:40:28 -0800, "Rich" <@> wrote in message
>>> > <41e0fbe8@w3.nls.net>:
>>> >
>>> > > Because you are in control, my point to george.
>>> > >
>>> > >Rich
>>
>
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|