On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > 4. No (or minimal) input from user.
To drive home just how misguided this requirement is, I'd like to share with you some data from a recent anti-phishing workshop at Stanford. At the TIPPI workshop, a user study was presented that showed that passive anti-phishing tools such as those provided by Firefox, Netcraft and others failed to protect the user from a phishing attack in over 50% of attacks. The user study was conducted at MIT. Approximately half of the study subjects were MIT students. The subjects knew they were participating in a study where they would be phished. They were instructed on the use of the passive anti-phishing tools in the browser. Even so, they still only managed to detect approximately every other phishing attack. The study results were presented at the workshop, but the authors have not yet published a paper, so I can't provide a link as yet. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
