Jim Youll <[EMAIL PROTECTED]> writes: > On Sep 24, 2008, at 6:39 PM, Perry E. Metzger wrote: >> The whole point of the study (which you feel had an "inappropriate >> tone") and of such gedankenexperiments is to understand the problem >> space better. > > Clarification: not the study. > > I believe the article had an inappropriate tone. Calling victims of > inadequate user interfaces
I don't think all the interfaces in question are inadequate. There are glaring exceptions, such as the various interfaces in browsers to determine if an SSL connection is trustworthy. However, not all the interfaces are inadequate. > "idiots" is inappropriate and spits in the face of the evidence. Does it? Are there really no people to whom one can apply that involved? I have heard of cases in which, in spite of having been told point blank by security people not to send any further money to a 419 scammer, people have continued sending it because, after asking the 419 people if they were a scam, were assured by them that they were legitimate. Indeed, I've heard of worse. Short of of a court imposed conservatorship, how is one to protect someone like that? It is clear that user interfaces will always need to to allow people to do things like transferring money or installing software, and it is equally clear that such operations will always have some potential for danger. Some people will not pay attention to warning signs of danger in such interfaces regardless of how prominently they are displayed, and we cannot make such things perfectly safe. We can fancy up our language if you insist. For example, we can be more polite (by speaking of users with "limited security problem detection skills" and such). However, in the end, not all of these people are victims of anything other than themselves. > It's still a fact that when a majority of a population of operators > of any equipment is experiencing poor outcomes just using it as > normal people do, then there is a screaming need to fix that > equipment. Actually, a majority don't experience trouble. A majority *are* infected with malware, but not because of any fault of their own -- driveby and other infection systems are just too pervasive, and the majority use an operating system that is very full of holes. However, most people seem to recognize 419 scams, phishing email, etc. The problem is that a substantial minority do not, and a worse problem is that a fraction of those cannot regardless of how much "user education" is applied. As I noted, we should indeed improve our interfaces, reduce the number of opportunities such people have for causing themselves harm (thus the notion of "always on security" etc.) and take all other reasonable measures. However, it is important, as I said, to see the limits. Some people will always aim the gun at their feet and fire, no matter how many trigger interlocks we add. Perry -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
