On Saturday 18 June 2005 22:22, Heikki Toivonen wrote: > Ka-Ping Yee wrote: > > The important question is not whether there is effort involved but > > whether the amount of effort is reasonable and worth it. > > The thing is, even minimal effort when the perceived threat/payback is > nil is too much. If you've never been a victim of fraud or identity > theft and are not very security conscious (I would claim most users), > then even minimal effort seems too much. Unfortunately.
In general a security system requires human involvement to be strong. If we accept that, then whatever is offered for users that use zero effort would therefore not be strong. This matches current experience. If we want to make the current security model strong, then, we'd have to bring in the user element. Ask users to do something. The choice is fairly clear and has been made by many users already. Download a toolbar, do a little effort and get some phishing protection. Do nothing, get what you get for free. Nothing wrong with that. It's also worth noting that the phishing and the rest of the identity crisis in the USA continues to warm up month after month. Yesterday's Mastercard announcement (see Duane's post) added another waggon load of fuel to the fire... People are getting more and more willing to improve their contribution to their security. iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
