|
|
Subscribe / Log in / New account

Secure Attention Key

Secure Attention Key

Posted Mar 29, 2012 17:47 UTC (Thu) by khim (subscriber, #9252)
In reply to: Secure Attention Key by mathstuf
Parent article: GNOME 3.4 released

You've just proved cortana's point. Note how he suggested to write Ctrl+Alt+Insert instead of Ctrl+Alt+Delete - and you've missed it. Sure, a lot of peoples will miss it, too, but since it's possible to detect Ctrl+Alt+Delete (VMWare does that), program should just close that window and wait for the next opportunity. Eventually user will actually read the text, will press the Ctrl+Alt+Insert and will give the password program is seeking.

to post comments

Secure Attention Key

Posted Mar 30, 2012 1:13 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (3 responses)

Mmm. Maybe. I think Microsoft's intention, and it has been somewhat successful, is to inculcate the Ctrl+Alt+Delete muscle memory into the wider user population beyond the group where it's actually in any way relevant to security (on a home machine where the main user and operator is also the only administrator, tricking the user with such a dialog is almost besides the points)

So you may find that in practice the story goes

User 1: "Oh, a message..." (doesn't read properly) Ctrl+Alt+Delete
User 2: "Oh, a message..." (doesn't read properly) Ctrl+Alt+Delete
User 3: Ctrl+Alt+Delete "Wait did that say... whatever, it worked"
User 4: "Oh, a message..." (doesn't read properly) Ctrl+Alt+Delete
User 5: "Ctrl+Alt+Insert? What's this? Hey, you, IT guy, why does this say Ctrl+Alt+Insert, don't you get tired of changing things for no reason?"
Administrator: "Mmm, infected PC. Wipe it and re-install"
[ Malware is no longer installed ]

Someone would have to do an experiment to check, but this wouldn't be the first time it turned out users are (in a sense) too dumb to fall for a clever trick.

Secure Attention Key

Posted Mar 30, 2012 1:41 UTC (Fri) by cortana (subscriber, #24596) [Link] (1 responses)

I think there will be ten users who fall for it for every one that raises a ticket with IT. I was less of a pessimist in this regard before I saw this video: http://www.thoughtcrime.org/software/sslstrip/. It's not directly related to the use of secure attention keys, but if users who care enough about their privacy to use tor don't notice that their URL bars say 'http' instead of 'https' then what hope does the average corporate user who just wants to log into their damn computer with a minimum of hassle to do their job?

Secure Attention Key

Posted Apr 15, 2012 16:12 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

I'm familiar with the fact that users are oblivious to the URL scheme (other things real users don't pay any attention to, in a test where they're entering their own, real banking credentials include: those images that confirm the remote site knows who you are by acting as a shared secret, a warning icon in the URL bar, and a dialog saying that the connection is insecure)

I wasn't relying on users to notice that something is wrong so much as for them not to notice that anything has changed. The users I deal with don't _seem_ to read that message about pressing Ctrl-Alt-Del and you can't stop it working, so it seemed to me that if people just press it by reflex everything works out OK. Judging from the other reply though, I was wrong.

Secure Attention Key

Posted Mar 30, 2012 5:50 UTC (Fri) by khim (subscriber, #9252) [Link]

Someone would have to do an experiment to check, but this wouldn't be the first time it turned out users are (in a sense) too dumb to fall for a clever trick.

Experiment showed resounding success. Only instead of “press Ctrl+Alt+Insert” they used trojans with some nonsensical premise in text and “send SMS to XXX-XXX-XXXX” (paid number, obviously) ending. Apparently this business scheme is quite profitable.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds