AW: 9/11 virus

[vogt () hansenet com]

> Add the inevitable batch of new 9/11 viruses to the heap of 
> avoidable-but-commonplace user-dependent vulnerabilities.

It ain't a user-dependent vulnerability. It exploits shortcomings in the
interface. It exploits the fact that what the machine does is not what the
user wants or expects it to do.

User: 
"I want to see this picture."

Machine: 
Ok...
...oh, it isn't a picture, it's an executable...
...so, let's execute it.

The user never wanted to execute a file, he wanted to see a picture. It's a
miscommunication issue, not stupidity of users. A better interface would
prevent it. For example, imagine for one second that there were no implicit
actions, i.e. there is no "doubleclick and the right thing will happen", but
you always have to state WHAT you want to do.(*)

It's not a user issue. Users aren't stupid, they just have a limited need to
know. You'd be shouting at your car mechanic if he told you that it's your
fault that the car burst into flames because that's just what it does when
you open the trunk while the headlights are on and the gear is in reverse.

But hey, it's not like we haven't known this ever since the first Outlook
worm, and it could've been solved for years.


Tom Vogt


(*) And don't tell me users wouldn't accept that. Every other electronic
device works that way. You don't press POWER on your TV and expect it to
know which channel you want.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html