Could it not ask the user? My Apple regularly asks for decisions of
this sort, and remembers the results. So do (popular firewall)
products on the PC. Now, most of these questions are too technical in nature but point remains that asking question and remembering the
answer is possible.
I continue to believe that few users would grant an email message access to both the Internet and the Address Book when they are asked those two questions, provided that the user had not been conditioned to clicking "YES" in order to get any work done at all.
[EMAIL PROTECTED] wrote:
You have not met my users! This is really rather naive. Users don't understand pop dialogues, they raise their stress level, always clicking "yes" makes the problem go away.
Yes... and it isn't that the users are stupid or ignorant. Most of the time it's /really hard/ to be 100% sure, unambiguously, what the pop-up dialogue is talking about. This is for several reasons...
- Language. It's hard to write a clear and unambiguous message, and since these are written by programmers they usually aren't even grammatically correct, never mind clear and unambiguous.
- Context. The user often has multiple things going on, and often acts faster than the computer's stupid, slow, laggy, ugly GUI... now what did I do that caused this pop-up? Was it my last click, or the other window that finally popped up from the link I clicked 2 minutes ago and which I had almost forgotten about?
- User mental "state". The pop-up may ask for permission to use a previously entered password, but the user can't remember what they previously entered... was that one of my throwaway, non-secure passwords, or was it the PIN for my bank account?
These uncertainties cause stress. After stressing about it for a while the user clicks one choice only to find later that that was the wrong one, increasing the stress level even more the next time. They are likely to soon give up, but even if they do persevere in paying attention and trying to make the right choices, the percentage of errors is going to be very high, and since a single error can critically compromise security this means it's basically hopeless.
:j
--
J�rgen Botz | While differing widely in the various
[EMAIL PROTECTED] | little bits we know, in our infinite
| ignorance we are all equal. -Karl Popper--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
