Reliance on Microsoft called risk to U.S. security

Jürgen Botz jurgen at botz.org
Sun Sep 28 05:37:51 EDT 2003 

On Sat, 27 Sep 2003, Jeroen C.van Gelderen wrote:
> Could it not ask the user? My Apple regularly asks for decisions of
> this sort, and remembers the results. So do (popular firewall)
> products on the PC. Now, most of these questions are too technical in 
> nature but point remains that asking question and remembering the
> answer is possible.
>
> I continue to believe that few users would grant an email message
> access to both the Internet and the Address Book when they are asked
> those two questions, provided that the user had not been conditioned to
> clicking "YES" in order to get any work done at all.

Victor.Duchovni at morganstanley.com wrote:
> You have not met my users! This is really rather naive. Users don't
> understand pop dialogues, they raise their stress level, always clicking
> "yes" makes the problem go away.

Yes... and it isn't that the users are stupid or ignorant.  Most
of the time it's /really hard/ to be 100% sure, unambiguously,
what the pop-up dialogue is talking about.  This is for several
reasons...

- Language.  It's hard to write a clear and unambiguous
   message, and since these are written by programmers they
   usually aren't even grammatically correct, never mind clear
   and unambiguous.

- Context.  The user often has multiple things going on, and
   often acts faster than the computer's stupid, slow, laggy,
   ugly GUI... now what did I do that caused this pop-up?  Was
   it my last click, or the other window that finally popped up
   from the link I clicked 2 minutes ago and which I had almost
   forgotten about?

- User mental "state".  The pop-up may ask for permission to use
   a previously entered password, but the user can't remember what
   they previously entered... was that one of my throwaway,
   non-secure passwords, or was it the PIN for my bank account?

These uncertainties cause stress.  After stressing about it for
a while the user clicks one choice only to find later that that
was the wrong one, increasing the stress level even more the
next time.  They are likely to soon give up, but even if they do
persevere in paying attention and trying to make the right choices,
the percentage of errors is going to be very high, and since a single
error can critically compromise security this means it's basically
hopeless.

:j

--
Jürgen Botz               | While differing widely in the various
jurgen at botz.org           | little bits we know, in our infinite
                           | ignorance we are all equal. -Karl Popper



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list