Re: AW: [Full-Disclosure] 9/11 virus

From: Exibar (exibar_at_thelair.com)
Date: 09/11/03

  • Next message: NGSSoftware Insight Security Research: "[Full-Disclosure] Windows 2003 Server - Defeating the stack protection mechanism" 
    To: <l8km7gr02@sneakemail.com>, <full-disclosure@lists.netsys.com>
Date: Thu, 11 Sep 2003 11:52:36 -0400

    So are you trying to tell me that Peanut Butter is good or bad for my car's
    engine? What if I have a diesel engine? Can I use Peanut Butter in that
    case? I would think that refined peanut oil will work, but what about
    straight peanut butter?

      ^--^

    Exibar

    ----- Original Message -----
    From: <l8km7gr02@sneakemail.com>
    To: <full-disclosure@lists.netsys.com>
    Sent: Thursday, September 11, 2003 10:53 AM
    Subject: Re: AW: [Full-Disclosure] 9/11 virus

    > >Tom Vogt:
    > >
    > > It ain't a user-dependent vulnerability. It exploits shortcomings in the
    > > interface. It exploits the fact that what the machine does is not what
    the
    > > user wants or expects it to do.
    > >
    > > User:
    > > "I want to see this picture."
    > >
    > > Machine:
    > > Ok...
    > > ...oh, it isn't a picture, it's an executable...
    > > ...so, let's execute it.
    >
    > Hi Tom.
    >
    > On this point, you and I agree -- a user should never receive
    > indication from the UI that an executable is a picture, and then
    > surprise the user by executing something which wasn't really a picture
    > after all. Implementing a UI which uses an arbitrary file naming
    > convention to indicate the executability of a file, /and then going
    > ahead and hiding the file extension by default/, is unbelievably
    > braindead. It's like they *tried* to blur the line between program and
    > content. Hmm.
    >
    > > The user never wanted to execute a file, he wanted to see a picture.
    It's a
    > > miscommunication issue, not stupidity of users. A better interface would
    > > prevent it. For example, imagine for one second that there were no
    implicit
    > > actions, i.e. there is no "doubleclick and the right thing will happen",
    but
    > > you always have to state WHAT you want to do.(*)
    > >
    > > ...
    > >
    > > (*) And don't tell me users wouldn't accept that. Every other
    > > electronic device works that way. You don't press POWER on your TV and
    > > expect it to know which channel you want.
    >
    > I maintain, though, that there is a lack of user comprehension involved
    > (you said 'stupidity', not me) -- a user needs to know what an
    > executable is, before they can understand there's a certain amount of
    > danger involved with clicking on them.
    >
    > As to your suggestion that the implicit behaviour of a doubleclick is a
    > problem, I think you're a bit off the mark. Users know that a
    > doubleclick will 'Open' whatever they click on, there's no ambiguity
    > there. The confusion only occurs when the user doesn't exactly know
    > what it is they're doubleclicking on.
    >
    > > It's not a user issue. Users aren't stupid, they just have a limited
    need to
    > > know. You'd be shouting at your car mechanic if he told you that it's
    your
    > > fault that the car burst into flames because that's just what it does
    when
    > > you open the trunk while the headlights are on and the gear is in
    reverse.
    >
    > I think a (slightly) more appropriate analogy would be a mechanic who
    > explains time and time again that one should *never* put fuel into a car
    > unless they know for certain it's unleaded and from a 'safe' source (and
    > actually fuel and not peanut butter!)
    >
    > I think we agree on the main points, but have slightly differing senses
    > of what a user 'needs to know'. In order to function responsibly in
    > this e-mail enabled world of ours, users must be able to differentiate
    > between executables and documents. Period. To that end, however, user
    > interfaces must be clear and explicit when it comes to helping the user
    > differentiate the two.
    >
    > > But hey, it's not like we haven't known this ever since the first
    Outlook
    > > worm, and it could've been solved for years.
    >
    > Oh, sure, MS completely dropped the ball on Outlook and OE -- but
    > consider that this would only prevent e-mail worms, not user-distributed
    > 'old-school' viruses. Only user education could stop those.
    >
    > take care,
    >
    > Cael
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: NGSSoftware Insight Security Research: "[Full-Disclosure] Windows 2003 Server - Defeating the stack protection mechanism"