On Thu, 2004-08-26 at 03:39 -0400, Bryan Clark wrote:
> On Thu, 2004-08-26 at 08:54 +0200, Nils Philippsen wrote:
> > That when some people are struggling to get the majority of
> > Windows-ridden persons _not_ to trust everything that's on a web page...
> > Well the idea is that there will be bugs and there will be security
> > holes and that I don't want to make it easier for the Black Hats to
> > exploit these by just popping up a nicely crafted web page. Just think
> > about the changes you need to do: now you have to check whether
> > following special links is allowed, therefore you have to remember that
> > a page is internal... With a dialog you get all of this for free and
> > trust me, people are not that scared by dialogs than you seem to think
> > ;-).
>
> javascript::alert("Phear") will look just like any alert dialog we
> create in the system and there are other dialog boxes that can be
> constructed via javascript that will be able to trick people in other
> interactions.
>
> Actually this is getting worse and worse. Last time I was home using my
> mom's PC with IE there was a popup/under window that had what looked to
> be a DOS window that just finished a scan of my computer and found some
> "bad things". It even had a blinking cursor which I believe was
> provided via an animated gif.
>
> Social engineering will always be the best way to spread viruses and
> other malicious software. There probably won't be a good way to stop
> this anytime soon, if it's ever really possible. Probably the best way
> to get around this is for people to be able to reasonably understand and
> expect what a computer will do or ask of them at anytime; then they can
> always make informed choice with their actions. However since computers
> keep changing and updating; the defaults change and things look
> different it's pretty hard to expect this of people. This is like being
> able to predict what my 4 year old cousin is going to say next, could be
> about dinosaurs or it could be about some T.V. show; I can barely
> understand what he's saying anyway. Many people feel this way about
> computers, "I unplugged the network cable and an Evolution dialog said:
> 'Error pinging IMAP server' : 'Error: Success'" Next month it will say
> "Error D-BUS activation: failure" :-(
Hold on; haven't written that bit yet :-)
There's an interesting paper on these issues here; I'm wondering what
you think of it:
http://www.sims.berkeley.edu/~ping/sid/uidss.pdf
>
> I'm sure clever social engineering has caught us all at one time or
> another. When you opened up what seemed like it could be a normal email
> and it turned out that the 'Re: Staff Bulletin' subject line which was
> just too close to real to ignore is actually spam.
>
> Cheers,
> ~ Bryan
>
> --
> Bryan Clark <bclark@xxxxxxxxxx>
> Red Hat Desktop Design Ninja
>
>
