Fake popup study

Jim Youll jim at cr-labs.com
Wed Sep 24 18:25:32 EDT 2008 

On Sep 24, 2008, at 5:45 PM, Perry E. Metzger wrote:

> Jim Youll <jim at cr-labs.com> writes:
>> I think it's got to be said that it's not apparent that the end-users
>> are the /idiots/ who should be called out for "failing" this study.
>>
>> "We" gave them these interfaces, protocols and technologies that
>> allow for things to go so badly wrong. Nothing in the world required
>> the technology ecosystem to become what it is, except design
>> decisions that were (and are) made well out of the sphere of
>> influence of mere "idiot users."
>>
>> This stuff was designed and shepherded to market by the modern
>> captains of industry, by rock star developers and wünderkinden.
>>
>> When a real engineer builds a bridge that falls down, we blame the
>> engineer, not gravity.
>
> 419 scams are not caused by bad interfaces or bad engineering.
> Phishing is, but clearly not all con games are, and con games are
> remarkably profitable.

The article and the study concerned user vulnerabilities compounded
by poor user interfaces and poor underlying architectures. I was  
addressing
my comments toward the study generally, and to the inappropriate but
common tone of the article, in particular, not to other out-of-band
issues. There are many risks in the world. I see in that study some  
confirmation
that poor design has made certain of those risks worse.

> I was having a discussion over lunch about a week ago with a couple of
> pretty well known security people (one of them might pipe up on the
> list). We were considering what would happen in a particular seemingly
> foolproof system with a trusted channel if someone got a message via
> an untrusted channel saying...
>
>  "Now, to complete your book purchase, the trusted system is going to
>   say "If you press "YES", you're going to send all the money you
>   have in the world to a con man in Nigeria" -- this is
>   normal. Please press yes when it says that."
>
> ...a large fraction of users would just press "YES".

Straw man.

> I don't want to claim that there is no place for better human factors
> work in security engineering. There clearly is. However, I will
> repeat, that is not the only story here, and it is not unreasonable to
> note that there are people who are clearly nearly impossible to
> protect with almost any level of human factors engineering and
> security technology.

Considering the magnitude and frequency of losses that apparently occur
through these technologies, and the fact that the crypto and security
technologies are pretty far evolved and seem to work well if used  
well, I
would counter that human factors are just about all we should be  
worrying
about right now, if we hope to ever make online activities as safe as  
they
should be.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list