desktop-packages team mailing list archive

[Matthew Paul Thomas <mpt@xxxxxxxxxxxxx>]

Public bug reported:

If you have a user account with a password, someone with physical access
to your computer can still access your account by holding down Shift
during startup, choosing recovery mode, and changing your password.

This is an intractable problem. For example, from Microsoft's "10
immutable laws of security": "If a bad guy has unrestricted physical
access to your computer, it's not your computer anymore".
<http://technet.microsoft.com/en-gb/library/cc722487.aspx#EIAA>

However, probably it isn't obvious to a non-professional that a password
alone isn't enough to secure their stuff.

So perhaps, wherever Ubuntu lets you set a password (Ubiquity, System
Settings "User Accounts"), it should contain a brief (very brief)
explanation of this. Something like: "A password doesn’t protect against
someone with physical access to the computer."

** Affects: gnome-control-center (Ubuntu)
     Importance: Undecided
     Assignee: Matthew Paul Thomas (mpt)
         Status: New

** Affects: ubiquity (Ubuntu)
     Importance: Undecided
     Assignee: Matthew Paul Thomas (mpt)
         Status: New

** Changed in: ubiquity (Ubuntu)
     Assignee: (unassigned) => Matthew Paul Thomas (mpt)

** Also affects: gnome-control-center (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: gnome-control-center (Ubuntu)
     Assignee: (unassigned) => Matthew Paul Thomas (mpt)

** Description changed:

  If you have a user account with a password, someone with physical access
  to your computer can still access your account by holding down Shift
  during startup, choosing recovery mode, and changing your password.
  
- There is an intractable problem. For example, from Microsoft's "10
+ This is an intractable problem. For example, from Microsoft's "10
  immutable laws of security": "If a bad guy has unrestricted physical
  access to your computer, it's not your computer anymore".
  <http://technet.microsoft.com/en-gb/library/cc722487.aspx#EIAA>
  
  However, probably it isn't obvious to a non-professional that a password
  alone isn't enough to secure their stuff.
  
  So perhaps, wherever Ubuntu lets you set a password (Ubiquity, System
  Settings "User Accounts"), it should contain a brief (very brief)
  explanation of this. Something like: "A password doesn’t protect against
  someone with physical access to the computer."

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-control-center in Ubuntu.
https://bugs.launchpad.net/bugs/878906

Title:
  Not obvious that giving your account a password is not physical
  security

Status in “gnome-control-center” package in Ubuntu:
  New
Status in “ubiquity” package in Ubuntu:
  New

Bug description:
  If you have a user account with a password, someone with physical
  access to your computer can still access your account by holding down
  Shift during startup, choosing recovery mode, and changing your
  password.

  This is an intractable problem. For example, from Microsoft's "10
  immutable laws of security": "If a bad guy has unrestricted physical
  access to your computer, it's not your computer anymore".
  <http://technet.microsoft.com/en-gb/library/cc722487.aspx#EIAA>

  However, probably it isn't obvious to a non-professional that a
  password alone isn't enough to secure their stuff.

  So perhaps, wherever Ubuntu lets you set a password (Ubiquity, System
  Settings "User Accounts"), it should contain a brief (very brief)
  explanation of this. Something like: "A password doesn’t protect
  against someone with physical access to the computer."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/878906/+subscriptions