[cap-talk] The Limits of POLA's Utility - Social Engineering

Karp, Alan H alan.karp at hp.com
Wed Jun 7 12:17:14 EDT 2006

Toby Murray wrote:
> Yes. But I wonder if there isn't a case for building systems that
> protect users against themselves.

Sort of.  Voluntary Oblivious Compliance attempts to prevent the user
from violating policy when doing the usual thing.  In the example of
givemeallyourmoney.com, VOC would prevent the recipient of the credit
card number from using it.  In fact, the web page doesn't ask for the
CCV, so that is the case.  Note that VOC is indeed voluntary.  You can't
prevent Bob from withdrawing all his money and sending the cash.  That's
something that might give him pause, but con men don't find it too much
of a barrier.

Actually, Bob should have been suspicious.  How does he know that Alice
didn't write the virus in order to blackmail him?  The juicy stuff
purportedly from Alice's machine could be fake while the evidence of
Bob's prying is not.  In that sense, it's no different than a police
sting operation.

There is a better example of a deal with the devil.  The most secure
home machines are zombies.  In exchange for allowing the controller to
send spam in the middle of the night, the user gets a machine protected
from other malware.  That's a true symbiotic relationship.

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories 
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 423 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20060607/7bbe9ab8/attachment.vcf 

More information about the cap-talk mailing list