[14315] in cryptography@c2.net mail archive
Re: Reliance on Microsoft called risk to U.S. security
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Sun Sep 28 04:34:01 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 27 Sep 2003 18:51:26 -0400
From: William Allen Simpson <wsimpson@greendragon.com>
To: cryptography@metzdowd.com
"Jeroen C.van Gelderen" wrote:
>
> On Saturday, Sep 27, 2003, at 15:48 US/Eastern,
> Victor.Duchovni@morganstanley.com wrote:
>
> > You have not met my users!
>
> Indeed, but I'm here to learn :)
>...
> something is wrong. Why would she click "YES"?
>...
> Because I'm an optimist I believe that Alice will read the dialog and
> err on the side of caution. Maybe that isn't realistic. ...
>
> I agree that such composition must be intuitive or we cannot expect it
> to work. I think that CapDesk is a nice publicly available prototype of
> a workable capability desktop. It would be very interesting to see your
> assessment on whether a CapDesk approach would be workable for your
> users. And if it isn't, why not. I hope you can lend your experience.
>
OK, I'll lend mine. With my ISP hat on, the vast majority of support
calls have to do with users ignoring the content of M$ dialog boxes,
hitting YES or OK, then calling when things don't work. Admittedly,
the text in those dialog boxes isn't particularly useful. But this
costs us a lot of good old hard cash.
Or with my personal hat, my 15-year-old niece had an infected machine.
Actually a multiply infected machine. Took me several hours to clean up.
And then I watched her check her yahoo mail, and click yes on the very
next Norton/McAfee dialog box, reinfecting her Comcast connected machine
before my very eyes.
Why, I asked? I just spent a lot of time fixing your machine, and
explained what had gone wrong. She says, "That message came from my
best friend at school."
Of course it didn't. But it probably came from another friend with
them both in the address book. And social engineering is a lot more
powerful than any amount of training, no matter how very recent!
The answer to a technical problem is _not_ depending on user caution!
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com