OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kee Hinckley (nazgulsomewhere.com)
Date: Thu Jun 07 2001 - 12:49:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 5:26 PM -0700 6/6/01, Dan Kaminsky wrote:
    > > e.g. "myfriendgood.example.org <attackerevil.example.net>" the way
    >> other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.
    >
    >Good example of how user interface theory can be critical to resolving
    >security concerns.

    I would say rather, that this was a classic example of how an attempt
    to provide a good user interface resulted in worse security. It's
    right up there with IE's penchant for ignoring file types and looking
    at the content, or automatically translating backslashes into slashes
    in a URL. Yes, the interface has been improved, but in the long run
    it has made far more trouble for end users, developers, and corporate
    security than it was worth.

    True, you cannot examine security without taking into account the
    user. But doing UI work without regard for security is far more
    dangerous.

    In any case, the solution here is not necessary to not hide email
    addresses--although lots of email programs seem to manage just fine
    without that feature--it's not to automatically add aliases. Or at
    the very least, to not hide aliases that were automatically added.
    The main advantage of adding aliases automatically is that you have
    to do less typing when you send to one of them, that can be kept,
    while treating automatically added aliases different than manually
    added aliases. Hmmm. Different levels of security depending on
    where the data came from. That sounds like something that fits the
    Microsoft model perfectly.
    - --

    Kee Hinckley - Somewhere.Com, LLC
    http://consulting.somewhere.com/

    I'm not sure which upsets me more: that people are so unwilling to accept
    responsibility for their own actions, or that they are so eager to regulate
    everyone else's.

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBOx++3SZsPfdw+r2CEQIlpgCg+DaifwiytP9Yia52csmEH/eubssAoNA9
    o2+Nq3wj4uLTT+mI3HweqyKV
    =jw6g
    -----END PGP SIGNATURE-----