Text 2076, 292 rader
Skriven 2005-01-19 11:37:56 av Glenn Meadows (1:379/45)
Kommentar till text 2055 av Geo (1:379/45)
Ärende: Re: Do we protect users from their own stupidity?
=========================================================
From: "Glenn Meadows" <gmeadow@comcast.net>
eBay is moving to that, with their eBay mail boxes now. If you have pending
mail, when you log in, you get a message as such. I think the only eBay's I
get now are bidding confirmations, and one general bulk email with links to
different areas. There was a news report that eBay was moving to that to
communicate with users, rather than direct email to them.
--
Glenn M.
"Geo" <georger@nls.net> wrote in message news:41eda01e@w3.nls.net...
> The flip side is that in order to prevent phishing, companies are going to
> have to stop spamming users. <g> (as in if you get an unrequested email
from
> us, rest assured it's not from us)
>
> Geo.
>
> "Robert Comer" <bobcomer@mindspring.com> wrote in message
> news:41ec6d9f@w3.nls.net...
> > Bummer. :(
> >
> > This is really bad, eventually a most everyone is going to get one of
> these
> > from a company they do deal and trust, and zap, infected.
> >
> > - Bob Comer
> >
> >
> > "Geo" <georger@nls.net> wrote in message news:41ec4e7a$2@w3.nls.net...
> > > there is a way to spoof the bottom display too, I think there is an
> > > example
> > > on www.malware.com site.
> > >
> > > Geo.
> > >
> > > "Robert Comer" <bobcomer_removeme@mindspring.com> wrote in message
> > > news:41ec35d6@w3.nls.net...
> > >> I just got a very good imitation of an official Paypal email, this
> one's
> > >> going to fool a few... :(
> > >>
> > >> There's actually an easy way to tell it's a phishing attack, at least
> in
> > > OE,
> > >> just move the mouse cursor over the link and look down at the bottom
> > > status
> > >> bar, you see what the link really points to. If the domain doesn't
> look
> > >> right for whatever company, it's phishing.
> > >>
> > >> - Bob Comer
> > >>
> > >>
> > >> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote in
message
> > >> news:ltcou0lhvanrbp6su81dokr26fcrpiftfa@4ax.com...
> > >> > Periodically I get phishing emails pretending to be from ebay, and
> they
> > >> > even manage to get "ebay" into the headers, but if you look up the
IP
> > >> > address of course you find out it's not... but what percentage of
> users
> > >> > A) know how to find the header;
> > >> > B) know how to read it; or
> > >> > C) know how to look up an IP address?
> > >> >
> > >> > On Sun, 16 Jan 2005 15:14:01 -0800, "Rich" <@> wrote in message
> > >> > <41eaf508@w3.nls.net>:
> > >> >
> > >> >> I disagree.
> > >> >>
> > >> >> People do very much know the difference between their own
computer
> > > and
> > >> >> the other computers referenced in phishing attacks. They know
that
> > > email
> > >> >> comes from somewhere outside their computer. They know the web
site
> > >> >> to
> > >> >> which they are referred is not their computer. They still are
> fooled.
> > >> >>
> > >> >> People know they are choosing to download and install software
> from
> > > the
> > >> >> Internet. What they may not know is that it is or contains
spyware.
> > >> >> There is no confusion over boundaries.
> > >> >>
> > >> >> I believe your whole idea of trust is off base. People aren't
> > >> >> making
> > >> >> decisions on whether or not to trust particular machines. I douby
> > >> >> very
> > >> >> much most people even think that way. People place trust in other
> > > people
> > >> >> or in some cases who they believe those people are. Phishing
> attacks
> > > for
> > >> >> bank sites succeed because the people the fall pray to them
believe
> > > that
> > >> >> the people sending the email are valid representitives of the bank
> and
> > >> >> they trust those people.
> > >> >>
> > >> >> As for your initial premise, I honestly don't know what it is
you
> > >> >> believe is consistent that should not be or is different that
should
> > > not
> > >> >> be. You can't be referring to the browser which is almost never
> used
> > > for
> > >> >> the local computer and clearly identifies what is local and what
is
> > > not.
> > >> >>
> > >> >> Your claim regarding phishing is also wrong. The address bar is
> one
> > >> >> possible indicator to users. Phishing attacks preceeded any of
> these
> > > and
> > >> >> continue without them. I've seen phishing emails that make no
> attempt
> > > to
> > >> >> mask the domain to which they refer. People still get fooled.
The
> > >> >> address bar probably means little to many users. I can tell when
> > >> >> speaking with and helping non-technical users that even though
they
> > >> >> get
> > >> >> that they type into the address bar to go to a site they do not
> always
> > >> >> get that it is overloaded to provide feedback to them where they
> have
> > >> >> gone. The same with the status bar. Their have been status bar
> > > spoofs.
> > >> >> They make little difference. Do any of these make a difference to
> you
> > > so
> > >> >> that you would be fooled?
> > >> >>
> > >> >>Rich
> > >> >>
> > >> >> "Geo" <georger@nls.net> wrote in message
> news:41ea4440@w3.nls.net...
> > >> >> part of the reason it's so easy to fool people is because of
> > > Microsoft.
> > >> >> Remember some years ago when I said to make a consistant interface
> > >> >> that
> > >> >> blurs the line between the local machine and remote
> machines/internet
> > >> >> machines was a mistake? Well that's one of the big reasons why
> people
> > >> >> today are so easy to fool. They don't understand the concept of
> > >> >> trusted/untrusted machines because it all looks the same to them.
> They
> > >> >> honestly don't know where their machine ends and the rest of the
> world
> > >> >> begins.
> > >> >>
> > >> >> I understood the logic behind making that a consistent interface
> and
> > >> >> blurring the line but I saw the problem with it as well. How is a
> user
> > > to
> > >> >> know the difference between a remote website and a help page from
> one
> > > of
> > >> >> their own programs if there is no difference?
> > >> >>
> > >> >> As for not knowing anyone who was infected due to the exploit of
a
> > > bug,
> > >> >> doesn't phishing work because of a bug that allows IE to show one
> > > address
> > >> >> in the address bar while in fact it's talking to another address?
> > >> >> What,
> > >> >> doesn't that count?
> > >> >>
> > >> >> Geo.
> > >> >> "Rich" <@> wrote in message news:41e9f4ea$1@w3.nls.net...
> > >> >> You can't protect them from their own stupidity. I've seen
> > > plenty
> > >> >> of examples of people getting infected with spyware due to their
own
> > >> >> explicit actions, either approving when asked if something should
be
> > >> >> installed or explicitly downloading and installing something that
is
> > >> >> or
> > >> >> includes spyware. I do not know of anyone personally that was
> > >> >> infected
> > >> >> due to an exploit of a bug. Phishing is another example that
relies
> > >> >> almost entirely on people being to trusting and doing something
they
> > >> >> shouldn't. I haven't seen an email virus in a long time that did
> not
> > >> >> rely on the user following instructions in the email to act
against
> > >> >> his
> > >> >> own interest and run or even save then open and run something they
> > >> >> shouldn't. We are well beyond what many folks would consider
> > >> >> security.
> > >> >> To protect against people making these kinds of mistakes you have
to
> > > take
> > >> >> choices they can't be trusted making away from them. That upsets
> the
> > >> >> folks that can be trusted to or want to make these choices
unhappy.
> > > This
> > >> >>isn't far from the idea that putting you in a straightjacket makes
> you
> > >> >>more secure because you are less likely to hurt yourself. As for
how
> > >> >>people react to this, do you remember the reaction to cars that
> buzzed
> > > or
> > >> >>otherwise made noise when the driver or a passenger did not wear
his
> > > seat
> > >> >>belt? It wasn't positive.
> > >> >>
> > >> >> Rich
> > >> >> "Ellen K." <72322.enno.esspeayem.1016@compuserve.com> wrote
in
> > >> >> message news:48qju0547j4l00akdf69j0bip7fgj8bmp5@4ax.com...
> > >> >> And that is a very big problem when trying to figure out what
> > >> >> security
> > >> >> features should be built in or what functionality should be
> > > allowed.
> > >> >> Do
> > >> >> we protect users from their own stupidity? I guess there is
a
> > >> >> rationale for doing so in that if the masses' machines are
> laxly
> > >> >> secured
> > >> >> (if at all), the danger to _everyone_ increases.
> > >> >>
> > >> >> On Mon, 10 Jan 2005 15:07:12 -0800, "Rich" <@> wrote in
message
> > >> >> <41e30a96@w3.nls.net>:
> > >> >>
> > >> >> > I agree there are a great many people that have no
interest
> > >> >> in
> > >> >> or familiarity with exercising the control available to them.
That
> > > will
> > >> >> always be true.
> > >> >> >
> > >> >> >Rich
> > >> >> >
> > >> >> > "Ellen K." <72322.enno.esspeayem.1016@compuserve.com>
wrote
> in
> > >> >> message news:7og4u0pj8f0nq10sm8t2covkac7q75oj1s@4ax.com...
> > >> >> > Well, I think this conversation is all over the place
> > >> >> regarding
> > >> >> who we
> > >> >> > are talking about when we talk about users. The folks
here
> > >> >> are
> > >> >> an
> > >> >> > entirely different animal from the famous great unwashed
> > > masses.
> > >> >> >
> > >> >> > On Sun, 9 Jan 2005 01:40:28 -0800, "Rich" <@> wrote in
> message
> > >> >> > <41e0fbe8@w3.nls.net>:
> > >> >> >
> > >> >> > > Because you are in control, my point to george.
> > >> >> > >
> > >> >> > >Rich
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|