Re: [Full-Disclosure] Origin of the term "driveby download"
From: Thor Larholm (lists.netsys.com@jscript.dk)
Date: 01/31/03
- Previous message: HggdH: "Re: [Full-Disclosure] The worm author finally revealed!"
- In reply to: Richard M. Smith: "[Full-Disclosure] Origin of the term "driveby download""
- Next in thread: madsaxon: "Re: [Full-Disclosure] Origin of the term "driveby download""
- Reply: madsaxon: "Re: [Full-Disclosure] Origin of the term "driveby download""
- Reply: Richard M. Smith: "RE: [Full-Disclosure] Origin of the term "driveby download""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Thor Larholm" <lists.netsys.com@jscript.dk> To: "Richard M. Smith" <rms@computerbytesman.com>, <full-disclosure@lists.netsys.com> Date: Fri, 31 Jan 2003 16:29:50 +0100
From: "Richard M. Smith" <rms@computerbytesman.com>
> Yes, there is ActiveX warning message for a driveby download, but I
> think it is classic "blaming the victim" to call users who click the yes
> button as "stupid".
The term "driveby download" heavily implies an automated install process,
but we all know that there is no such automation here - the user has to
explicitly consent.
Because of this FUD term, articles such as
http://wired.com/news/infostructure/0,1377,57467,00.html has sentences like
this:
"And the toolbar will install itself automatically when Internet Explorer's
security settings aren't set to the highest level."
As we all know (if you didn't know, then now you do), signed ActiveX
components require explicit user consent before installing - on anything
except the very MINIMUM security settings. The default settings, heck even
lowered settings above the minimum (there are 4 default levels of settings),
will ask for explicit consent.
As such, could we please avoid using that term? It is confusing at best and
havocing for (otherwise fruitfull) debates at worst.
Navigating your browser to an arbitrary website can bring up an "Open/Save
file" dialog for an EXE file, but just because a large percentage of
clueless users click the Open button does not mean that we label the process
as a "driveby download", or any such FUD term. Lack of clue in the victim
does not impose a lack of security in the product.
And on the topic, both the "No" button (for signed ActiveX) and the "Save"
button (for file dialogs) are the default active buttons - in case you just
press Enter/Space.
> If an ActiveX control auto-installs without a security warning, then
> most likely security settings must be messed up.
If an ActiveX control auto-installs without a security warning, then you
have set your security settings to the lowest possible.
Regards
Thor
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Next message: Brian McWilliams: "[Full-Disclosure] Re: Origin of the term "driveby download""
- Previous message: HggdH: "Re: [Full-Disclosure] The worm author finally revealed!"
- In reply to: Richard M. Smith: "[Full-Disclosure] Origin of the term "driveby download""
- Next in thread: madsaxon: "Re: [Full-Disclosure] Origin of the term "driveby download""
- Reply: madsaxon: "Re: [Full-Disclosure] Origin of the term "driveby download""
- Reply: Richard M. Smith: "RE: [Full-Disclosure] Origin of the term "driveby download""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
