On Tue, 9 Sep 2003, Dustin Puryear wrote:
> At 11:44 PM 9/8/2003 -0500, you wrote:
> >On Mon, 8 Sep 2003, Mark A. Hershberger wrote:
> > > Dustin Puryear <dpuryear@usa.net> writes:
> > >
> > > > Advanced email software like Evolution has had flaws, and these flaws
> > > > will be attacked more and more as there are more Linux end-users.
> > >
> > > What sort of exploitable flaws does Evolution have? How would the
> > > exploitation of those flaws be similar to the exploits for Outlook if
> > > everyone ran Evolution?
> >
> >I'm convinced that Joe User will click anything that says 'Click Me',
> >regardless of his OS or mail client. To see if Kmail was really more
> >secure, i sent myself a bash, perl, and compiled C program as attachments.
> > >From Kmail, just clicking around, there was no way to execute them.
> >Attempts to "open" just opened the source in Emacs. There was no way to
> >run them, which is good. All MUAs should be like this, since obviously
> >most people are too dumb to have a smart mail client.
>
> I absolutely agree! At worst show a warning like "You are about to do a
> very, very dangerous thing. Are you sure?" and then possibly a "So when you
> said Yes to being sure, were you sure you meant Yes? Or did you in fact
> mean No? I would think you meant No. Right?" Better yet, require the user
> to save the file to disk using a Save As and then perform the operation.
I don't think it would work... he might skim the warning the first time.
Second time he just thinks "this damn warning again...". By the third
time he's memorized exactly how many times to click and where to position
the mouse cursor for each click, and will breeze right through the
warnings. You could randomize the warnings and clicks, but there is a
fine line between protecting and annoying the user. :)
"In order to run this program, you must REALLY REALLY know what you are
doing. And name all seven dwarfs. Continue?"
> No automatic execution.
Exactly...
ray
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/09/03
This archive was generated by hypermail 2.2.0 : 12/19/08 EST