spf-discuss
[Top] [All Lists]

Re: A hole in planned phishing-prevention?

2004-06-03 16:41:08
Shevek <spf(_at_)anarres(_dot_)org> writes:

Then the user should be fired with prejudice, and probably for gross 
misconduct.

My disagreement with the attitude aside, I don't think that's really
realistic in most situations.

It's not like technical people fall prey to phishing now, so I think
it's a lot more useful to consider how phishing affects everyone, not
just dumb users.

If you're ebay.com, this means increased complaints, lost customers,
inability to rely on email, etc.  If you're a bank, it means the same
thing, except you're going to end up liable for some money lost to
fraud, have higher insurance costs, etc.  It's not just for-profit
businesses that are affected either, but these are the easy examples.

And if you're a technical luser, it means joe jobs are still going to
affect you as long as there are dumb users and dumb programs out there.

If we're putting all the meaningful policy into the MUA, then (1) a
crypto addition makes a lot more sense and (2) expect to wait a lot
longer for deployment to reach critical mass.  If it's possible to solve
a bit more of the problem without requiring smarts in the MUA, the
initial (well, next generation) solution will be a lot better.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/