[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Microsoft removes 'user:passwd@site' support

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Microsoft removes 'user:passwd@site' support
From: user05@kyberwelt.de
Date: Mon, 9 Feb 2004 14:54:46 +0100

On Mon, 9 Feb 2004 13:40:17 -0000
"Richard Hatch" <r.hatch@eris.qinetiq.com> wrote:

[ some stuff deleted ]

> I am not a Microsoft fan, but given the huge number of email scams relying
> on this type of URL, something clearly had to be done to help protect users.
> Microsoft could have simply said "It's not our fault, we can't fix this
> without breaking other things".
> 
> I find it curious that this type of response has not been prompted by the
> "Hide known file extensions" feature of Windows.
> People may think "Why is someone I don't know sending me anna.jpg?" before
> they click on the file.
> If the filename was anna.jpg.exe, most users think that something fishy was
> going on.
> 
> As far as I am concerned, the bottom line is that Microsoft's fix will help
> more people than will be affected by it.  If people are so bothered by this,
> use a different browser.
> 
> It does surprise me that some people in the IT security industry complain
> about the lack of security awareness amongst users on one hand, and argue
> about keeping support for methods that have been proven to fool users into
> click strange URL links.
> 
> It seems to me that people are so eager to continue pet arguments (ie
> anti-Microsoft) that any action by Microsoft is immediately scorned.
> 
> Lets stop the flame wars and get back to sharing information so that users
> can be better protected.

Still there are reasons to be concerned. Your point about hidden file extensions
is quiet good. And with a monopolist like microsoft (in fact with any big 
company)
there are reasons to search for possible intentions for doing this or that.
Not everything is based on pure technical arguments :/
As far as i remember, Microsoft has a "product" called "Passport" and is 
deplyoing
a framework called dotnet (or something like that :) strange name).
Removing support for some form of athentication might be just the easier way of
coping with this problem, but certainly might also be part of a bigger picture.
That is (sometimes) the way monopolists work towards more market-saturation.
Or is this to paranoid !?? ;}

my .02 cent

user#05

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Microsoft removes 'user:passwd@site' support
  - From: "Richard Hatch" <r.hatch@eris.qinetiq.com>

Prev by Date: Re: [Full-Disclosure] Microsoft removes 'user:passwd@site' support
Next by Date: [Full-Disclosure] update paper on worm propagation
Previous by thread: Re: [Full-Disclosure] Microsoft removes 'user:passwd@site' support
Next by thread: [Full-Disclosure] update paper on worm propagation
Index(es):
- Date
- Thread