[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ayatana] Farewell to the notification area



>
> Plus, as I pointed out several months ago, this is a HUGE security hole.
> Passwords should only be given in response to a user initiated
> operation.  Asynchronous dialogs that ask for passwords are a very bad
> precedent for a secure O/S.
>
>
> Best we get those finger-swipe gadgets working, then :-)
>

I beg to agree with Jim. Yes, it is a HUGE security hole waiting to be
used. As I pointed out in an older thread:

http://www.mail-archive.com/ayatana@xxxxxxxxxxxxxxxxxxx/msg00833.html

it is easy to spoof the update manager update dialog inside a web page
using technologies like flash that would probably look
indistinguishable to the real thing. As far as I remember most people
in the thread agreed on the possible security risk associated to the
(not so) new update manager behavior and even an interesting
discussion on allowing password-less updates from trusted repositories
was initiated.

The thread ended up in oblivion as any complains about update manager
behavior though.

best,

Paulo
-- 
Paulo José da Silva e Silva
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil

e-mail: pjssilva@xxxxxxxxxx         Web: http://www.ime.usp.br/~pjssilva