[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ayatana] Farewell to the notification area
>
> Plus, as I pointed out several months ago, this is a HUGE security hole.
> Passwords should only be given in response to a user initiated
> operation. Asynchronous dialogs that ask for passwords are a very bad
> precedent for a secure O/S.
>
>
> Best we get those finger-swipe gadgets working, then :-)
>
I beg to agree with Jim. Yes, it is a HUGE security hole waiting to be
used. As I pointed out in an older thread:
http://www.mail-archive.com/ayatana@xxxxxxxxxxxxxxxxxxx/msg00833.html
it is easy to spoof the update manager update dialog inside a web page
using technologies like flash that would probably look
indistinguishable to the real thing. As far as I remember most people
in the thread agreed on the possible security risk associated to the
(not so) new update manager behavior and even an interesting
discussion on allowing password-less updates from trusted repositories
was initiated.
The thread ended up in oblivion as any complains about update manager
behavior though.
best,
Paulo
--
Paulo José da Silva e Silva
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil
e-mail: pjssilva@xxxxxxxxxx Web: http://www.ime.usp.br/~pjssilva