Jargons of Info Tech industry
Mike Meyer
mwm at mired.org
Thu Oct 13 11:08:24 EDT 2005
Roedy Green <my_email_is_posted_on_my_website at munged.invalid> writes:
> On Thu, 13 Oct 2005 01:32:03 -0400, Mike Meyer <mwm at mired.org> wrote
> or quoted :
>>That won't prevent phishing, that will just raise the threshhold a
>>little. The first hurdle you have to get past is that most mail agents
>>want to show a human name, not some random collection of symbols that
>>map to a unique address. Even if you do that, most readers aren't
>>going to pay attention to said random collection of symbols. Given
>>that, there are *lots* of tricks that can be used to disguise the
>>signed name, most of which phishers are already using. How many people
>>do you think will really notice that mail from "John Bath, PayPal
>>Customer Service Representative" (john.barth at paypa1.com) isn't really
>>from paypal?
>
> I think it better than you imagine.
>
> First of all Mr. Phish will come in as a new communicant begging an
> audience. That is your first big clue. PayPal is already allowed in.
That's your first big clue. You've got two problems, though.
1) An as yet unspecified mechanism that magically approves everyone
that you want to talk to. That's a big lump to swallow. It's also
not an easy problem - all existing mechanisms for approving people
require constant attention. Casual users aren't going to put up
with that.
2) What makes you think your average user will realize this? It only
takes a few percent to make it worth the phishers time.
> Next if Thawte issues certs, they won't allow Phish names such as
> Paypol.com just as now for other certs.
So they'll do what their web sites do now, and sign their own certs.
> Mr. Phish is coming in on a different account.
Different from what? And how does the user get told about this, and
what will make them care?
> Next Mr. Phish had to present his passport etc when he got his Thawte
> ID. Now Interpol has a much better handle on putting him in jail.
Not if he didn't have to go to Thawte.
<mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
More information about the Python-list
mailing list