Comments on: Interview with a 419 Scammer

By: Iang

Iang — Sat, 13 Feb 2010 02:58:39 +0000

Secure bookmarks?

By: Philipp von Weitershausen

Philipp von Weitershausen — Fri, 12 Feb 2010 13:09:09 +0000

I agree that Larry was a good first step but could be taken further. One direction I consider fruitful is identity management, much like Aza Raskin suggested: http://www.azarask.in/blog/post/identity-in-the-browser-firefox/. Certainly managing various identities (and passwords) is something users don’t like, and I’m not sure how much the existing passwords managers have really caught on. My archetypal average user a.k.a. my mom certainly doesn’t use them.

Users also seem to forget to log out frequently. Especially on public machines that I then use afterward, it seems. If I had a penny for every time somebody had forgotten to log out of Gmail or Facebook at the library, airport, or wherever, I’d have lots of pennies . One solution might be to have a service like Weave for managing online identities and then use the Weave identity to log into various other services. That way you could configure your Weave identity to expire authorization for all services automatically when you’re on somebody else’s browser. In other words, Weave would log you out automatically if you’re not using your home browser.

If only Facebook and the lot supported OpenID…

By: Gijs

Gijs — Fri, 12 Feb 2010 10:24:31 +0000

A few years ago I informally suggested to some people that we could do recognition of sites based on appearance, in order to help fix phishing. Most people suggested doing it based on (HTML) content instead, which might work too and is probably easier to implement, although obviously also easier to defeat. It would basically allow you to pop up Larry and tell the user something along the lines of “This site might look like Paypal.com, but it actually isn’t! We strongly suggest you leave this site! [Get me out of here] [I know this isn't paypal]” (obviously discussion can be had about actual warning content…)

Of course, we have the phishing blacklists, but it seems from the FOSDEM internet security presentation (can’t find the slides, sorry!) that most of these pages don’t stay up for very long (< 10 hours), and once reported they relocate. In the meantime, a bunch of people still get scammed by them.

At a deeper level, the approach is based on a very basic principle: if we want our security approach to work, I think we need Firefox to think like the user, but compare the result of such a thought-experiment (if you will) with the hard facts. I'm not sure if the same approach could be used against some of the 419 scam things – we wouldn't want to false-positive real charities talking about poor widows or orphans, for instance!

By: Eddy Nigg

Eddy Nigg — Thu, 11 Feb 2010 18:42:53 +0000

I like Mike’s idea, I believe there is much more which can be done.

And quite the opposite, I don’t like the “how many….” I never look at it and it wouldn’t catch my attention at the right moment either.

And so what if I visited twitter thousand times and keep authenticating in plain text?

By: Joseph

Joseph — Thu, 11 Feb 2010 16:41:08 +0000

Could you do spam filtering (Bayesian or checksum-based, or pattern-based, or some combination) of web pages?

By: Johnath

Johnath — Thu, 11 Feb 2010 16:06:17 +0000

@beltzner – yeah, and beyond just warning, there are positive signals we can add there, too. Things like the “how often have you visited this site” stat seem to resonate with the users that actually discover them, but that isn’t most of them.

Integrated (doorhanger) notifications will help a lot here, I think, since they are the next step in terms of making Larry an actual avatar for your relationship with the site.

By: Mike Beltzner

Mike Beltzner — Thu, 11 Feb 2010 16:02:28 +0000

I obviously agree with the sentiment, but think we should be doing a little more with Larry. Most of the time the information provided isn’t helpful, and when it could actually be most helpful, I think we’ve allowed edge cases to convince us out of doing appropriate things.

Specifically, when entering something that looks like a credit card number on a non SSL site, Larry should make sure the user knows what it’s doing. Further, if we see input fields that have display:none or other CSS tomfoolery, we should warn based on that. I’m more confident in our ability to give Larry some basic sense than I am worried about how that might be defeated by more clever attackers.