[14321] in cryptography@c2.net mail archive
Re: Reliance on Microsoft called risk to U.S. security
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?J=FCrgen_Botz?=)
Sun Sep 28 12:21:47 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 28 Sep 2003 02:37:51 -0700
From: =?ISO-8859-1?Q?J=FCrgen_Botz?= <jurgen@botz.org>
To: Victor.Duchovni@morganstanley.com
Cc: "Jeroen C.van Gelderen" <jeroen@vangelderen.org>,
Bill Frantz <frantz@pwpconsult.com>, Ian Grigg <iang@systemics.com>,
cryptography@metzdowd.com
In-Reply-To: <Pine.GSO.4.58.200309271543250.9026@sasas1.ms.com>
On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:
> Could it not ask the user? My Apple regularly asks for decisions of
> this sort, and remembers the results. So do (popular firewall)
> products on the PC. Now, most of these questions are too technical in
> nature but point remains that asking question and remembering the
> answer is possible.
>
> I continue to believe that few users would grant an email message
> access to both the Internet and the Address Book when they are asked
> those two questions, provided that the user had not been conditioned to
> clicking "YES" in order to get any work done at all.
Victor.Duchovni@morganstanley.com wrote:
> You have not met my users! This is really rather naive. Users don't
> understand pop dialogues, they raise their stress level, always clicking
> "yes" makes the problem go away.
Yes... and it isn't that the users are stupid or ignorant. Most
of the time it's /really hard/ to be 100% sure, unambiguously,
what the pop-up dialogue is talking about. This is for several
reasons...
- Language. It's hard to write a clear and unambiguous
message, and since these are written by programmers they
usually aren't even grammatically correct, never mind clear
and unambiguous.
- Context. The user often has multiple things going on, and
often acts faster than the computer's stupid, slow, laggy,
ugly GUI... now what did I do that caused this pop-up? Was
it my last click, or the other window that finally popped up
from the link I clicked 2 minutes ago and which I had almost
forgotten about?
- User mental "state". The pop-up may ask for permission to use
a previously entered password, but the user can't remember what
they previously entered... was that one of my throwaway,
non-secure passwords, or was it the PIN for my bank account?
These uncertainties cause stress. After stressing about it for
a while the user clicks one choice only to find later that that
was the wrong one, increasing the stress level even more the
next time. They are likely to soon give up, but even if they do
persevere in paying attention and trying to make the right choices,
the percentage of errors is going to be very high, and since a single
error can critically compromise security this means it's basically
hopeless.
:j
--
Jürgen Botz | While differing widely in the various
jurgen@botz.org | little bits we know, in our infinite
| ignorance we are all equal. -Karl Popper
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com