AW: [Full-Disclosure] 9/11 virus

vogt_at_hansenet.com
Date: 09/11/03

  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] Why does a home computer user need DCOM?" 
    To: full-disclosure@lists.netsys.com
Date: Thu, 11 Sep 2003 14:41:30 +0200

    > Add the inevitable batch of new 9/11 viruses to the heap of
    > avoidable-but-commonplace user-dependent vulnerabilities.

    It ain't a user-dependent vulnerability. It exploits shortcomings in the
    interface. It exploits the fact that what the machine does is not what the
    user wants or expects it to do.

    User:
    "I want to see this picture."

    Machine:
    Ok...
    ...oh, it isn't a picture, it's an executable...
    ...so, let's execute it.

    The user never wanted to execute a file, he wanted to see a picture. It's a
    miscommunication issue, not stupidity of users. A better interface would
    prevent it. For example, imagine for one second that there were no implicit
    actions, i.e. there is no "doubleclick and the right thing will happen", but
    you always have to state WHAT you want to do.(*)

    It's not a user issue. Users aren't stupid, they just have a limited need to
    know. You'd be shouting at your car mechanic if he told you that it's your
    fault that the car burst into flames because that's just what it does when
    you open the trunk while the headlights are on and the gear is in reverse.

    But hey, it's not like we haven't known this ever since the first Outlook
    worm, and it could've been solved for years.

    Tom Vogt

    (*) And don't tell me users wouldn't accept that. Every other electronic
    device works that way. You don't press POWER on your TV and expect it to
    know which channel you want.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] Why does a home computer user need DCOM?"

    Relevant Pages

    • RE: [Full-Disclosure] 9/11 virus
      ... Microsoft would be very helpful. ... > ...so, let's execute it. ... > miscommunication issue, not stupidity of users. ... > interface would ...
      (Full-Disclosure)
    • Re: Help on choosing a valid pattern: composite or not?
      ... of storage (just to make things a little more funny, let's say that the storage medium can be chosen via a plugin interface). ... and thought "Composite Pattern" could be of some help in unifying the interface from a client's point of view. ... A "Net" can be told to execute itself, and that would mean to call each "Node"'s Execute. ... Would the differences between "Node" and "Net" suggest there is a suitable pattern than Composite to apply? ...
      (comp.object)
    • Re: AW: [Full-Disclosure] 9/11 virus
      ... >Tom Vogt: ... > It ain't a user-dependent vulnerability. ... > ...so, let's execute it. ... A better interface would ...
      (Full-Disclosure)
    • Re: Accessing a picture within an OLE object
      ... QI you mean Query Interface on the OLE object to get the IDataObject ... >> I essentially need to modify the colours used within the picture. ... >> In the Excel sheet I can gain access to the object with the shapes ...
      (microsoft.public.win32.programmer.ole)
    • Re: Multiple issues with Media Center -- help!
      ... The cable that Toshiba uses is actually a Sony designed cable now used in tons of products. ... It is impossible to get a truly good picture using any analogy tv interface. ... You need to use a digital interface, and I'm not sure that the laptop has such an output. ... Even though I've done everything that is required, the media center remote wont change channels. ...
      (microsoft.public.windows.mediacenter)