[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-usability
Subject:    Re: Security and usability
From:       Lauri Watts <lauri () kde ! org>
Date:       2003-08-18 12:39:02
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 18 August 2003 12.41, Roland Seuhs wrote:

> Has there been a single recorded event in which a cookie has caused actual
> harm to some user? I don't think so.

Define 'harm'.  I suspect my definition is much narrower than yours, because I 
think it happens all the time.  

Many people mix security and privacy in this kind of discussion but leaking of 
private information to other than the intended recipient and/or collection of 
such private information via deception or obfuscation, go on every day.  

I don't care how much more targetted the ads on a book store might be if they 
know what TV channels I look at listings for, that book store has no right to 
request such information *from the tv site*, let alone just take it. 

> Let me explain:
>
> Essentially, all the useless popups (not only in KDE, but in many other DEs
> and programs) are training the users to press yes and ignore popups.
>
> Anybody who thinks that these popups are increasing security is just wrong:
> First he is wrong because those popups are ignored, secondly he is wrong
> because cookies and forms are no security problems. I repeat it: If you say
> "But it's just about educating the users that the connection is not
> encrypted" - You are wrong: Users will ignore the popup, many won't even
> read it. It simply doesn't matter. If pressing "OK" is the only way to use
> the website, users will press "OK", no matter what you write into that
> annoying popup.

No, they are increasing *privacy* though.  I have a right to know what, and 
when, information is being requested by a website.  Users who don't care, 
turn it off (or never turn it on, this is not the default setting after all).

> Sniffing passwords from ftp and php3 accounts are *REAL* security issues
> that cause *REAL* problems, unlike the hype around cookies and html-forms
> which are basically just hysteria with not a single documented case of harm
> caused.

Wrong.  Trackware or spyware cookies are exceedingly common.  
http://www.safersite.com/PestInfo/db/spyware_cookie.asp lists a couple hundred 
of them.  Their definition, which I find quite fair, is: 
'Any cookie that is shared among two or more unrelated sites for the purpose 
of gathering and/or sharing (private) user information. Definitions of 
"private" may differ. Some consider any code "private" if it uniquely 
identifies a user, even if it is not their name or email address.'

You're right many people don't care however there's a whole heck of a lot of 
people who do.  This same site is home to the PestPatrol software, and their 
stats say they received 511,017 pest reports from PestPatrol users for the 
past month.  That's a whole heck of a lot of people who care very much, and 
PestPatrol isn't even the most popular software of it's type, but Ad-Aware 
don't seem to post their stats on their site.  

> Dumping the cookie, html-form and file-upload popups and introducing rarely
> shown "use scp instead of ftp" popups would increase security *BECAUSE* it
> would reduce hassles and popups and concentrate the user's attention on the
> things that actually matter.

An exceedingly rarely triggered case would see a small increase in security - 
I can't even remember the last time I uploaded something to an ftp site via 
ftp.  I would *never* see this dialog.  I think it's a cute idea, and might 
be worth adding as well, but it's not a case of 'well we add this, we have to 
now remove the highly regarded and widely used privacy features on cookies.  
I can also see us getting yelled at for port probing home windows admin's ftp 
servers on port 22 and tripping their zone alarms.

Regards,
- -- 
Lauri Watts
KDE Documentation: http://i18n.kde.org/doc/
KDE on FreeBSD: http://freebsd.kde.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/QMjv/gUyA7PWnacRAhpOAJ4yR9rXCajtJJt3cOg0V/CKnv06gACfVBh3
wvQtt/b+CY6AEvP0pXT3A2A=
=b4L9
-----END PGP SIGNATURE-----
_______________________________________________
kde-usability mailing list
kde-usability@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-usability

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic