On Tue, Jun 16, 2009 at 1:00 PM, Vincenzo Ciancia
<ciancia@xxxxxxxxxxx> wrote:
On 16/06/2009 mac_v wrote:
In no way the system should decide what windows it can open...
If this is allowed it is only a matter of time before someone develops a
worm which uses this behavior and pops-up a window similar to the update
manager which also asks for the user password allowing the worm to take
control of the system using this password info.
*Is ubuntu only going to realize this security risk after someone*
*develops a proof of concept worm or a real virus* ?
If this is done linux will no longer be THE secure OS.
All windows in the window list should only be triggered by the user, all
other system process should only trigger a notification.
Do you think it is easy to design a webpage that simulates such a "password fraud"? I see a difficulty here due to having to dim the whole screen to look like the standard password request, not that an user would not enter it in any kind of pop-up.
On the other hand, I have an idea for a secure way to ask for user input. In the installer, the user choses her own password, and the "secret phrase" which will be written in a root-only accessible file. This sentece will be shown to the user by the system when a password is asked and will autenticate the system with the user. The user should then be instructed not to enter his own password unless the right phrase is seen. A random phrase may be suggested automatically from a huge list
A few websites use a similar trick and display a custom image which the user chooses. I think it's a bit of a better solution than using a phrase, because people are more likely to notice if it changes.