Reliance on Microsoft called risk to U.S. security

William Allen Simpson wsimpson at greendragon.com
Sat Sep 27 18:51:26 EDT 2003 

"Jeroen C.van Gelderen" wrote:
> 
> On Saturday, Sep 27, 2003, at 15:48 US/Eastern,
> Victor.Duchovni at morganstanley.com wrote:
> 
> > You have not met my users!
> 
> Indeed, but I'm here to learn :)
>... 
> something is wrong. Why would she click "YES"?
>... 
> Because I'm an optimist I believe that Alice will read the dialog and
> err on the side of caution. Maybe that isn't realistic. ...
> 
> I agree that such composition must be intuitive or we cannot expect it
> to work. I think that CapDesk is a nice publicly available prototype of
> a workable capability desktop. It would be very interesting to see your
> assessment on whether a CapDesk approach would be workable for your
> users. And if it isn't, why not. I hope you can lend your experience.
> 
OK, I'll lend mine.  With my ISP hat on, the vast majority of support 
calls have to do with users ignoring the content of M$ dialog boxes,  
hitting YES or OK, then calling when things don't work.  Admittedly, 
the text in those dialog boxes isn't particularly useful.  But this 
costs us a lot of good old hard cash.

Or with my personal hat, my 15-year-old niece had an infected machine.  
Actually a multiply infected machine.  Took me several hours to clean up.  
And then I watched her check her yahoo mail, and click yes on the very 
next Norton/McAfee dialog box, reinfecting her Comcast connected machine 
before my very eyes. 

Why, I asked?  I just spent a lot of time fixing your machine, and 
explained what had gone wrong.  She says, "That message came from my 
best friend at school."  

Of course it didn't.  But it probably came from another friend with 
them both in the address book.  And social engineering is a lot more 
powerful than any amount of training, no matter how very recent!

The answer to a technical problem is _not_ depending on user caution!
-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list