Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SECURITY.NNOV: Outlook Express address book spoofing
From: Kee Hinckley <nazgul () somewhere com>
Date: Thu, 7 Jun 2001 13:49:06 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 5:26 PM -0700 6/6/01, Dan Kaminsky wrote:
 > e.g. "myfriend () good example org <attacker () evil example net>" the way
 other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.

Good example of how user interface theory can be critical to resolving
security concerns.

I would say rather, that this was a classic example of how an attempt 
to provide a good user interface resulted in worse security.  It's 
right up there with IE's penchant for ignoring file types and looking 
at the content, or automatically translating backslashes into slashes 
in a URL.  Yes, the interface has been improved, but in the long run 
it has made far more trouble for end users, developers, and corporate 
security than it was worth.

True, you cannot examine security without taking into account the 
user.  But doing UI work without regard for security is far more 
dangerous.

In any case, the solution here is not necessary to not hide email 
addresses--although lots of email programs seem to manage just fine 
without that feature--it's not to automatically add aliases.  Or at 
the very least, to not hide aliases that were automatically added. 
The main advantage of adding aliases automatically is that you have 
to do less typing when you send to one of them, that can be kept, 
while treating automatically added aliases different than manually 
added aliases.  Hmmm.  Different levels of security depending on 
where the data came from.  That sounds like something that fits the 
Microsoft model perfectly.
- -- 

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOx++3SZsPfdw+r2CEQIlpgCg+DaifwiytP9Yia52csmEH/eubssAoNA9
o2+Nq3wj4uLTT+mI3HweqyKV
=jw6g
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault