[3483] in WWW Security List Archive
Re: NS Security Prompt Not for Novices
daemon@ATHENA.MIT.EDU (Mirick, James R.)
Thu Nov 7 12:05:33 1996
Date: Thu, 7 Nov 96 09:19 EST
From: "Mirick, James R." <FBS/DEV01/JRMIRICK%First_Bank_System@mcimail.com>
To: "David W. Morris" <dwm@xpasc.com>, Dave Kinchlea <security@kinch.ark.com>
Cc: www security <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Please reply to the following MCI Mail address: 692-1709
"Basic user" means my uncle and several tens of millions of others, who run
into this horrific message. They don't know about applications or fully
qualified 8.3 names or anything else, but when they see this they have one
of several responses: 1) "I am now under attack by the Internet" (and
generally they quickly turn off their machine, and breathe a sigh of
relief), 2) "I have done something terribly wrong and I am about to be
reported to the Internet Police." They have absolutely no clue what this
means nor what to do about it. And under these circumstances a large number
will just shrug and say, "Oh well the Internet is just the Wild West" and
indeed will blindly say "yes."
The rest will just (and justifiably) say, "well, this is all too complicated
for me, the Internet really IS the playground of perverts, bomb-throwers,
and byte-slicers. Why don't we get some laws passed about this?"
Moral: we can't expect laypeople to make decisions in the absence of
reasonably-understandable information, and messages like that one somehow
fall short of real utility to most potential Internet users.
Jim Mirick
First Bank System, MInneapolis
"My opinions are (still) my own and not necessarily those of the rest of the
bank"
_______________________
. . . Dave Kinchlea had responded to the original, saying:
I am not sure what your point is here, nor do I know what you mean by a
`basic user'. This all seems pretty clear to me: Netscape is warning you
that a particular application (which they name with a full file spec) is
to be launched IF AND ONLY IF you allow it. It provides a way to not be
continualy annoyed with this notice, on an individual application basis if
that is your preference. Presumedly, any user would be happy to have this
information and I have trouble believing that *anyone* would not know what
Netscape was asking.
I DO believe that many would not understand how `malicious code ....' will
interact with their computer, but I think it is reasonable for people to
key on the well known word "malicious". Only a fool would blindly say yes
to this if they didn't understand what was happening (and yes, there are a
lot of fools but how is that Netscape's problem?).
While the 8.3 limits on names sometimes makes it difficult to know what
the Application is, I don't believe there is too much difficulty in
determining that this is the Sound Recorder (32 bit version) but that is
neither here nor there.
What exactly is your complaint, and how would you do things differently?
cheers, kinch
