automated social engineering at it's best (maybe?)

Derek Martin invalid at pizzashack.org
Mon Aug 2 22:19:00 EDT 2004 

On Mon, Aug 02, 2004 at 06:07:27PM -0400, Bill Sconce wrote:
> Especially (and justifiably) true when they/I/you are distracted
> by juggling other tasks.  Does reading e-mail get, or even deserve to
> get, your full attention, for every single message?

Honestly I don't think it's unreasonable.  Perhaps for me, I am
conditioned this way, because in a real sense, it was my job to pay
close attention to e-mail.  It was often how work units came to me
(trouble ticket via e-mail), and also because e-mail tends to be the
most important an most regular user concern/problem, I'm in the habit
of paying close attention to e-mail.  So maybe I'm not representative
of the average user in that regard.  But yes, I do give e-mail my full
attention, or at least enough of it to know  better than to open
attachments in suspicious e-mails...

> Wow!  Not only are they not thinking.  They must not be *listening*.
> A *train*!  (You'd think the noise would be a clue.  :)

I knew someone who was hit by a train.  He was trying to jump on the
train, and fell.  He lost his arm doing so.  It was a stupid thing to
do.  You're right that E-mail isn't anything like a train, but it
illustrates Ben's point: people do stupid things, even when the
consequences are potentially life-threatening.  If we can't expect
people to think about the consequences of their actions in situations
where death could result, then how can we hope that they'll pay
attention to e-mail?

> An e-mail client which allows and encourages you to execute
> a piece of code by clicking on an icon (when the whole interface of
> the "operating system" forces you to click on icons all day) is 
> completely different from a train.
> 
> What we actually have here is mortally-flawed software design.  Some
> blame for clicking falls to the user, but only a small part.  

I agree that the software is largely at fault, but that doesn't excuse
computer users from learning how to use the tools that they must use
daily to do their jobs.  It is technically feasable to change the
behavior of outlook and other similar clients to prevent a lot of
these infections, and those changes should be made, without a doubt.
But it wouldn't stop all of them...  I think Ben is basically
right: if I sent a message to everyone I know, telling them that I was
attaching a virus, and then attached a virus to that message, with a
filename of this_file_is_a_virus.exe, I'm almost certain some of them
would execute it.

> Let's stop blaming the user for not thinking.  

Why?  It's a fact: people often act without thinking.  It's also a
fact: acting without thinking can have serious consequences.  To me,
this seems like a much more serious problem than bad software,
generally.

It's not like viruses are new; people generally know about them.
These days, they generally understand that opening attachments can
cause an infection.  This should be a big red flag.  Opening
attachments is dangerous.  Proceed with caution.  And look out for
that train...  Basically, you should never open ANY attachment, unless
you were specifically expecting it, and/or have a really good idea of
what's in it.  And then, you should scan it first, with up-to-date
virus software, if you're on a PC.  This should be the routine in all
offices, and if it were the routine, the overwhelming majority of
virus infections would be prevented.  But it isn't.

> Would you get on an airliner which was designed like Windows,
> however good you thought the pilots were at thinking?

Absolutely not.  But running Windows won't kill me, either.
Regardless, it doesn't excuse users from using common sense and taking
basic precautions when they know the consequences.  But the reality is
there's no incentive for them to do so -- it would take time and
effort on their part.  Doing nothing is much better; when it causes a
problem, someone else (the IT guy) has to clean up the mess, and
they'll probably get a break from working because their PC is down.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20040802/af86ddde/attachment.bin

More information about the gnhlug-discuss mailing list