[cap-talk] The Limits of POLA's Utility - Social Engineering
Micah Brodsky
micahbro at csail.mit.edu
Tue Jun 6 23:12:59 EDT 2006
Hmmm... Genuinely amusing. :)
I'm not sure this is a POLA problem, in the sense that a user has every
right to delegate their authority for ill purposes. However, a system that
helped the user maintain better awareness of what authority was being
invoked and in what way might be a reasonable countermeasure. In the spying
example, the fact that communication from the virus to Alice's machine was
frequent even when Bob was not invoking it could be a red flag.
That being said, I think a real take home message is that problems like
botnets aren't going away with better client-side security. Just as CAPTCHAs
are now foiled by recruiting humans to solve them in exchange for porn,
botnets could well be replaced with "pornnets" or "wareznets". Humans may
always be the weakest link.
--Micah
More information about the cap-talk
mailing list