Text 2068, 190 rader
Skriven 2005-01-19 00:28:28 av Ellen K (1:379/45)
Kommentar till text 2046 av Robert Comer (1:379/45)
Ärende: Re: Do we protect users from their own stupidity?
=========================================================
Which is why I stick with it. :)
But I might cave one of these days... I would really like an email address
where I wouldn't be limited to 100 messages.
> From: "Robert Comer" <bobcomer_removeme@mindspring.com>
>> Please, I'm still using WinCIM 2.6, forces everything to plain text.
> I remember, that was a more general comment than just directed at you. You
> actually are less vulnerable because of your email client.
> - Bob Comer
> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in message
> news:61cpu01ohf15aapo0ocagqvds0m6369at4@4ax.com...
>> Please, I'm still using WinCIM 2.6, forces everything to plain text.
>>
>> On Mon, 17 Jan 2005 17:02:31 -0500, "Robert Comer"
>> <bobcomer_removeme@mindspring.com> wrote in message
>> <41ec35d6@w3.nls.net>:
>>
>>> I just got a very good imitation of an official Paypal email, this one's
>>> going to fool a few... :(
>>>
>>> There's actually an easy way to tell it's a phishing attack, at least in
>>> OE,
>>> just move the mouse cursor over the link and look down at the bottom
>>> status
>>> bar, you see what the link really points to. If the domain doesn't look
>>> right for whatever company, it's phishing.
>>>
>>> - Bob Comer
>>>
>>>
>>> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in message
>>> news:ltcou0lhvanrbp6su81dokr26fcrpiftfa@4ax.com...
>>>> Periodically I get phishing emails pretending to be from ebay, and they
>>>> even manage to get "ebay" into the headers, but if you look up the IP
>>>> address of course you find out it's not... but what percentage of users
>>>> A) know how to find the header;
>>>> B) know how to read it; or
>>>> C) know how to look up an IP address?
>>>>
>>>> On Sun, 16 Jan 2005 15:14:01 -0800, "Rich" <@> wrote in message
>>>> <41eaf508@w3.nls.net>:
>>>>
>>>>> I disagree.
>>>>>
>>>>> People do very much know the difference between their own computer
>>>>> and
>>>>> the other computers referenced in phishing attacks. They know that
>>>>> email
>>>>> comes from somewhere outside their computer. They know the web site to
>>>>> which they are referred is not their computer. They still are fooled.
>>>>>
>>>>> People know they are choosing to download and install software from
>>>>> the
>>>>> Internet. What they may not know is that it is or contains spyware.
>>>>> There is no confusion over boundaries.
>>>>>
>>>>> I believe your whole idea of trust is off base. People aren't making
>>>>> decisions on whether or not to trust particular machines. I douby very
>>>>> much most people even think that way. People place trust in other
>>>>> people
>>>>> or in some cases who they believe those people are. Phishing attacks
>>>>> for
>>>>> bank sites succeed because the people the fall pray to them believe
>>>>> that
>>>>> the people sending the email are valid representitives of the bank and
>>>>> they trust those people.
>>>>>
>>>>> As for your initial premise, I honestly don't know what it is you
>>>>> believe is consistent that should not be or is different that should
>>>>> not
>>>>> be. You can't be referring to the browser which is almost never used
>>>>> for
>>>>> the local computer and clearly identifies what is local and what is
>>>>> not.
>>>>>
>>>>> Your claim regarding phishing is also wrong. The address bar is one
>>>>> possible indicator to users. Phishing attacks preceeded any of these
>>>>> and
>>>>> continue without them. I've seen phishing emails that make no attempt
>>>>> to
>>>>> mask the domain to which they refer. People still get fooled. The
>>>>> address bar probably means little to many users. I can tell when
>>>>> speaking with and helping non-technical users that even though they get
>>>>> that they type into the address bar to go to a site they do not always
>>>>> get that it is overloaded to provide feedback to them where they have
>>>>> gone. The same with the status bar. Their have been status bar
>>>>> spoofs.
>>>>> They make little difference. Do any of these make a difference to you
>>>>> so
>>>>> that you would be fooled?
>>>>>
>>>>> Rich
>>>>>
>>>>> "Geo" <georger@nls.net> wrote in message news:41ea4440@w3.nls.net...
>>>>> part of the reason it's so easy to fool people is because of
>>>>> Microsoft.
>>>>> Remember some years ago when I said to make a consistant interface that
>>>>> blurs the line between the local machine and remote machines/internet
>>>>> machines was a mistake? Well that's one of the big reasons why people
>>>>> today are so easy to fool. They don't understand the concept of
>>>>> trusted/untrusted machines because it all looks the same to them. They
>>>>> honestly don't know where their machine ends and the rest of the world
>>>>> begins.
>>>>>
>>>>> I understood the logic behind making that a consistent interface and
>>>>> blurring the line but I saw the problem with it as well. How is a user
>>>>> to
>>>>> know the difference between a remote website and a help page from one
>>>>> of
>>>>> their own programs if there is no difference?
>>>>>
>>>>> As for not knowing anyone who was infected due to the exploit of a
>>>>> bug,
>>>>> doesn't phishing work because of a bug that allows IE to show one
>>>>> address
>>>>> in the address bar while in fact it's talking to another address? What,
>>>>> doesn't that count?
>>>>>
>>>>> Geo.
>>>>> "Rich" <@> wrote in message news:41e9f4ea$1@w3.nls.net...
>>>>> You can't protect them from their own stupidity. I've seen
>>>>> plenty
>>>>> of examples of people getting infected with spyware due to their own
>>>>> explicit actions, either approving when asked if something should be
>>>>> installed or explicitly downloading and installing something that is or
>>>>> includes spyware. I do not know of anyone personally that was infected
>>>>> due to an exploit of a bug. Phishing is another example that relies
>>>>> almost entirely on people being to trusting and doing something they
>>>>> shouldn't. I haven't seen an email virus in a long time that did not
>>>>> rely on the user following instructions in the email to act against his
>>>>> own interest and run or even save then open and run something they
>>>>> shouldn't. We are well beyond what many folks would consider security.
>>>>> To protect against people making these kinds of mistakes you have to
>>>>> take
>>>>> choices they can't be trusted making away from them. That upsets the
>>>>> folks that can be trusted to or want to make these choices unhappy.
>>>>> This
>>>>> isn't far from the idea that putting you in a straightjacket makes you
>>>>> more secure because you are less likely to hurt yourself. As for how
>>>>> people react to this, do you remember the reaction to cars that buzzed
>>>>> or
>>>>> otherwise made noise when the driver or a passenger did not wear his
>>>>> seat
>>>>> belt? It wasn't positive.
>>>>>
>>>>> Rich
>>>>> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>>>>> message news:48qju0547j4l00akdf69j0bip7fgj8bmp5@4ax.com...
>>>>> And that is a very big problem when trying to figure out what
>>>>> security
>>>>> features should be built in or what functionality should be
>>>>> allowed.
>>>>> Do
>>>>> we protect users from their own stupidity? I guess there is a
>>>>> rationale for doing so in that if the masses' machines are laxly
>>>>> secured
>>>>> (if at all), the danger to _everyone_ increases.
>>>>>
>>>>> On Mon, 10 Jan 2005 15:07:12 -0800, "Rich" <@> wrote in message
>>>>> <41e30a96@w3.nls.net>:
>>>>>
>>>>> > I agree there are a great many people that have no interest in
>>>>> or familiarity with exercising the control available to them. That
>>>>> will
>>>>> always be true.
>>>>> >
>>>>> >Rich
>>>>> >
>>>>> > "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
>>>>> message news:7og4u0pj8f0nq10sm8t2covkac7q75oj1s@4ax.com...
>>>>> > Well, I think this conversation is all over the place regarding
>>>>> who we
>>>>> > are talking about when we talk about users. The folks here are
>>>>> an
>>>>> > entirely different animal from the famous great unwashed
>>>>> masses.
>>>>> >
>>>>> > On Sun, 9 Jan 2005 01:40:28 -0800, "Rich" <@> wrote in message
>>>>> > <41e0fbe8@w3.nls.net>:
>>>>> >
>>>>> > > Because you are in control, my point to george.
>>>>> > >
>>>>> > >Rich
>>>>
>>>
>>
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|