So are you trying to tell me that Peanut Butter is good or bad for my car's engine? What if I have a diesel engine? Can I use Peanut Butter in that case? I would think that refined peanut oil will work, but what about straight peanut butter?
^--^ Exibar ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 11, 2003 10:53 AM Subject: Re: AW: [Full-Disclosure] 9/11 virus > >Tom Vogt: > > > > It ain't a user-dependent vulnerability. It exploits shortcomings in the > > interface. It exploits the fact that what the machine does is not what the > > user wants or expects it to do. > > > > User: > > "I want to see this picture." > > > > Machine: > > Ok... > > ...oh, it isn't a picture, it's an executable... > > ...so, let's execute it. > > Hi Tom. > > On this point, you and I agree -- a user should never receive > indication from the UI that an executable is a picture, and then > surprise the user by executing something which wasn't really a picture > after all. Implementing a UI which uses an arbitrary file naming > convention to indicate the executability of a file, /and then going > ahead and hiding the file extension by default/, is unbelievably > braindead. It's like they *tried* to blur the line between program and > content. Hmm. > > > The user never wanted to execute a file, he wanted to see a picture. It's a > > miscommunication issue, not stupidity of users. A better interface would > > prevent it. For example, imagine for one second that there were no implicit > > actions, i.e. there is no "doubleclick and the right thing will happen", but > > you always have to state WHAT you want to do.(*) > > > > ... > > > > (*) And don't tell me users wouldn't accept that. Every other > > electronic device works that way. You don't press POWER on your TV and > > expect it to know which channel you want. > > I maintain, though, that there is a lack of user comprehension involved > (you said 'stupidity', not me) -- a user needs to know what an > executable is, before they can understand there's a certain amount of > danger involved with clicking on them. > > As to your suggestion that the implicit behaviour of a doubleclick is a > problem, I think you're a bit off the mark. Users know that a > doubleclick will 'Open' whatever they click on, there's no ambiguity > there. The confusion only occurs when the user doesn't exactly know > what it is they're doubleclicking on. > > > It's not a user issue. Users aren't stupid, they just have a limited need to > > know. You'd be shouting at your car mechanic if he told you that it's your > > fault that the car burst into flames because that's just what it does when > > you open the trunk while the headlights are on and the gear is in reverse. > > I think a (slightly) more appropriate analogy would be a mechanic who > explains time and time again that one should *never* put fuel into a car > unless they know for certain it's unleaded and from a 'safe' source (and > actually fuel and not peanut butter!) > > I think we agree on the main points, but have slightly differing senses > of what a user 'needs to know'. In order to function responsibly in > this e-mail enabled world of ours, users must be able to differentiate > between executables and documents. Period. To that end, however, user > interfaces must be clear and explicit when it comes to helping the user > differentiate the two. > > > But hey, it's not like we haven't known this ever since the first Outlook > > worm, and it could've been solved for years. > > Oh, sure, MS completely dropped the ball on Outlook and OE -- but > consider that this would only prevent e-mail worms, not user-distributed > 'old-school' viruses. Only user education could stop those. > > take care, > > Cael > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
