UI for Secure Systems (was Re: upgrade to rawhide report)

David Malcolm dmalcolm at redhat.com
Fri Aug 27 01:59:06 UTC 2004 

On Thu, 2004-08-26 at 03:39 -0400, Bryan Clark wrote:
> On Thu, 2004-08-26 at 08:54 +0200, Nils Philippsen wrote:
> > That when some people are struggling to get the majority of
> > Windows-ridden persons _not_ to trust everything that's on a web page...
> > Well the idea is that there will be bugs and there will be security
> > holes and that I don't want to make it easier for the Black Hats to
> > exploit these by just popping up a nicely crafted web page. Just think
> > about the changes you need to do: now you have to check whether
> > following special links is allowed, therefore you have to remember that
> > a page is internal... With a dialog you get all of this for free and
> > trust me, people are not that scared by dialogs than you seem to think
> > ;-).
> 
> javascript::alert("Phear")  will look just like any alert dialog we
> create in the system and there are other dialog boxes that can be
> constructed via javascript that will be able to trick people in other
> interactions.
> 
> Actually this is getting worse and worse.  Last time I was home using my
> mom's PC with IE there was a popup/under window that had what looked to
> be a DOS window that just finished a scan of my computer and found some
> "bad things".  It even had a blinking cursor which I believe was
> provided via an animated gif. 
> 
> Social engineering will always be the best way to spread viruses and
> other malicious software.  There probably won't be a good way to stop
> this anytime soon, if it's ever really possible.  Probably the best way
> to get around this is for people to be able to reasonably understand and
> expect what a computer will do or ask of them at anytime; then they can
> always make informed choice with their actions.  However since computers
> keep changing and updating; the defaults change and things look
> different it's pretty hard to expect this of people.  This is like being
> able to predict what my 4 year old cousin is going to say next, could be
> about dinosaurs or it could be about some T.V. show; I can barely
> understand what he's saying anyway.  Many people feel this way about
> computers, "I unplugged the network cable and an Evolution dialog said:
> 'Error pinging IMAP server' : 'Error: Success'"  Next month it will say
> "Error D-BUS activation: failure"  :-(

Hold on; haven't written that bit yet :-)

There's an interesting paper on these issues here; I'm wondering what
you think of it:
http://www.sims.berkeley.edu/~ping/sid/uidss.pdf


> 
> I'm sure clever social engineering has caught us all at one time or
> another.  When you opened up what seemed like it could be a normal email
> and it turned out that the 'Re: Staff Bulletin' subject line which was
> just too close to real to ignore is actually spam.
> 
> Cheers,
> ~ Bryan
> 
> -- 
> Bryan Clark <bclark at redhat.com>
> Red Hat Desktop Design Ninja
> 
>

More information about the fedora-devel-list mailing list