On 16/06/2009 mac_v wrote:
In no way the system should decide what windows it can open...
If this is allowed it is only a matter of time before someone
develops a
worm which uses this behavior and pops-up a window similar to the
update
manager which also asks for the user password allowing the worm to
take
control of the system using this password info.
*Is ubuntu only going to realize this security risk after someone*
*develops a proof of concept worm or a real virus* ?
If this is done linux will no longer be THE secure OS.
All windows in the window list should only be triggered by the user,
all
other system process should only trigger a notification.
Do you think it is easy to design a webpage that simulates such a
"password fraud"? I see a difficulty here due to having to dim the whole
screen to look like the standard password request, not that an user
would not enter it in any kind of pop-up.
On the other hand, I have an idea for a secure way to ask for user
input. In the installer, the user choses her own password, and the
"secret phrase" which will be written in a root-only accessible file.
This sentece will be shown to the user by the system when a password is
asked and will autenticate the system with the user. The user should
then be instructed not to enter his own password unless the right phrase
is seen. A random phrase may be suggested automatically from a huge list.
Vincenzo
_______________________________________________
Mailing list: https://launchpad.net/~ayatana
Post to : ayatana@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ayatana
More help : https://help.launchpad.net/ListHelp
