Microsoft Sponsors Antiphishing Bakeoff

uniquebydegrees writes, "InfoWorld is blogging about the (predictable) results of a Microsoft-sponsored antiphishing technology bakeoff. From the TechWatch blog: 'Microsoft's Phishing Filter (MPF) in IE 7 Beta 3 received the highest "composite score" at 172, followed closely by NetCraft's toolbar with a composite score of 168. But when you dig into the numbers, another story emerges... IE's MPF antiphishing toolbar doesn't top out any of the individual tests that make up the composite score... So how did MPF end up on top?... Microsoft didn't do the best job of spotting phish sites, but it did do the best job of blocking the ones it did spot, and blocking was what garnered the most points... Blocking a phishing Web site earned you twice as many points as just warning about it in this test, but is blocking really twice as effective as just warning users?'"

What do most users do when they get a warning box?

[chroot_james]

"What is this window doing here?! I just want to get to paypal already..." *clicks ok* "There. Now I can finish this ssn and cc verification..."

I hate slashdot so much

[anotherone]

If anything, blocking a site should be worth more than double, since most people I know seem to just ignore warning dialogs.

Stupid questions

[Solkre]

Why do all article descriptions end with a stupid question?

And for those who disagree, there ARE stupid questions.

Actually....

[zappepcs]

It is the blocking part without user interaction that provokes that 'just click ok' reflex all the time. When the OS (or any machine, service, etc.) coddles the user to the point that they don't know what they are doing, or having the computer do, it breeds ignorance. No, I'm not dumb enough to think that all computer users must be sysadmins, but software that deepens their ignorance is not good software. Intelligent software should tell user's what is happening, why(if possible), and what the software can do about it, and/or what the user should do about it. I know that clippy was pretty annoying, but a less annoying and more intelligent approach like clippy would help user's to make better security decisions in the future. Just two cents worth.

Sadly, yes

[Angst Badger]

[...] but is blocking really twice as effective as just warning users?

While I am loath to say anything positive about Microsoft, I'd have to agree with the scoring. Most end-users, especially the developmentally challenged ones that are prone to phishing scams, simply do not read warnings. If someone is drooling, it does no good to tell them. Just wipe their chin.

Yes...

[loraksus]

Because your average user is stupid and will click away any phishing warning, especially if the email says "You may see a dialog like this, click yes/ignore (just like installing your printer, scanner, tv card, etc drivers)"

I really don't want to advocate handholding, but some people really do need it..

Template for MS Slashdot Articles

[derrickh]

Microsoft did something right...but is that something actually not wrong?

Microsoft performed well...but is performing well more important than performing badly?

Microsoft isnt all bad...but is not being bad the same as being good?

D

Re:I hate slashdot so much

[jrumney]

If anything, blocking a site should be worth more than double, since most people I know seem to just ignore warning dialogs.

My first thought was that the false positive rate is probably going to be about the same as WGA, blocking far too many sites, but you're right. The ideal solution would be to have it configurable and default to blocking, since the users who click through without reading are probably not going to go anywhere near the Options dialog.

Re:Actually....

[merreborn]

As much as I'd love to agree with you, your average user doesn't *care* what the computer's doing, or what their options are. They just want their email. They don't *want* to know any more than they absolutely have to.

That, bundled with way too many dialogs asking them questions they don't know the answers to, has resulted in the "Just click yes" reflex.

By way of example -- the first time you submit a form in any browser, you get that "You're about to send unsecured information over the internet!" dialog. Do you know *anyone* who's ever pressed anything other than the "Never tell me this again" button?

Sure, it tells the user exactly what the computer's doing, but honestly, it's just not useful. Either you already understand what that means, and don't need the dialog at all, or you haven't a god damn clue -- in which case, a 12-word dialog isn't really going to educate you on HTTP, packet sniffing, SSL, and HTML forms.

Yes, if you want to win the bakeoff

[EmbeddedJanitor]

Of course the rules have been twisted to get the MS offering on top. It 2x had not worked, then it would have been 3x or 10x or whatever mgic multiplier would have got the MS device on top.