Re: SECURITY.NNOV: Outlook Express address book spoofing

From: Kee Hinckley (nazgulat_private)
Date: Thu Jun 07 2001 - 10:49:06 PDT

Next message: Dale Southard: "Re: SSH / X11 auth: needless complexity -> security problems?"

Previous message: Markus Friedl: "Re: SSH / X11 auth: needless complexity -> security problems?"
In reply to: Dan Kaminsky: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Next in thread: Otto.Dandenellat_private: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 5:26 PM -0700 6/6/01, Dan Kaminsky wrote:
>  > e.g. "myfriendat_private <attackerat_private>" the way
>>  other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.
>
>Good example of how user interface theory can be critical to resolving
>security concerns.

I would say rather, that this was a classic example of how an attempt 
to provide a good user interface resulted in worse security.  It's 
right up there with IE's penchant for ignoring file types and looking 
at the content, or automatically translating backslashes into slashes 
in a URL.  Yes, the interface has been improved, but in the long run 
it has made far more trouble for end users, developers, and corporate 
security than it was worth.

True, you cannot examine security without taking into account the 
user.  But doing UI work without regard for security is far more 
dangerous.

In any case, the solution here is not necessary to not hide email 
addresses--although lots of email programs seem to manage just fine 
without that feature--it's not to automatically add aliases.  Or at 
the very least, to not hide aliases that were automatically added. 
The main advantage of adding aliases automatically is that you have 
to do less typing when you send to one of them, that can be kept, 
while treating automatically added aliases different than manually 
added aliases.  Hmmm.  Different levels of security depending on 
where the data came from.  That sounds like something that fits the 
Microsoft model perfectly.
- -- 

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOx++3SZsPfdw+r2CEQIlpgCg+DaifwiytP9Yia52csmEH/eubssAoNA9
o2+Nq3wj4uLTT+mI3HweqyKV
=jw6g
-----END PGP SIGNATURE-----

Next message: Dale Southard: "Re: SSH / X11 auth: needless complexity -> security problems?"
Previous message: Markus Friedl: "Re: SSH / X11 auth: needless complexity -> security problems?"
In reply to: Dan Kaminsky: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Next in thread: Otto.Dandenellat_private: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 11:13:58 PDT