Re: [Ayatana] Farewell to the notification area

["Paulo J. S. Silva" <pjssilva@xxxxxxxxx>]

On Sun, Apr 25, 2010 at 2:39 PM, Marc Deslauriers
<marc.deslauriers@xxxxxxxxxxxxx> wrote:
> On Sun, 2010-04-25 at 13:55 -0300, Paulo J. S. Silva wrote:
>> That is the reason while the pop-up/under/what ever is a BAD idea. And
>> the reason is that it is asynchronous, so the user is getting taught
>> to respond to (possibly fake) windows request their password. This is
>> a path for disaster if we ever get remotely close to solving Bug n. 1.
>
> Option #1: Display an icon in the notification area that nobody clicks,
> as a result security updates never get installed and system is
> compromised from the lack of important security updates.
>
> Option #2: Pop-up the update dialog demanding attention, most users
> click to install the important updates and system is secure as system
> security updates are always applied.
>

I don't see why there are only two options. There are more. For
example, I am favorable to prompt the user when logging out or some
other moment that we can predict that the user is "closing the day"
for updates. Actually, I am one of the few that would favor applying
the
security updates by default (but leaving an easy way to turn it off).
I don't believe we can find
a way to make sure the user will apply the updates if he/she has to
don anything. I know
that my mother, mother-in-law, sister-in-law, and other family members
never apply
the updates (they use windows). They are simply afraid of the window
that pops-up.
Usually when I go to their place I usually sit on the computer and
apply the updates myself.
However I know that this is a dangerous move as the user may have a
non-functional computer after an update failure and since it was
automatic he/she may not even know that an update took place.

I do believe that the best balance would be to prompt the user in
specific moments (log-out, before suspend/lock) with a dialog that has
as default option to apply the updates. The tricky part here is that
many people are just leaving their computer on all the time and they
are not there when the computer sleeps or lock screen to confirm the
update.

Actually I got a proposal: present the update dialog at
log-out/automatic suspend/lock-screen. The user can ignore (for
example if he/she is not there). If the user ignores it for more than
a certain amount of time (for example a week) present a notification
at login/awake/unlock that the system will apply the security update
at next log-out/etc (or that the user can apply it right away if
he/she wants).

> Side effect of Option #2: Some users may get fooled into typing their
> password into a fake update-manager dialog inside a web page. So...what
> does a web page do with the user's password once it's obtained? Not
> much, as there shouldn't be much to do with it anyway if there is no
> malware installed on the computer. A desktop computer should _not_ be
> accessible from the Internet with a user's password.
>

You got a point here. All my systems have sshd enabled.

> >From a security point of vue, option #2 is a _lot_ safer.

As you know, many people use the same password for many things.

...

> The same goes with pop up windows, in order for it to appear in the
> window switcher.

Could you please at least read the argument? I am not talking about
pop-up's (that have
window decorations), I am talking about those windows that don't have
decorations
and that appear inside webpages (I think they are made with flash). Or
do you mean
that the *regular* user will take a look at the window switcher and
say "oh, the
window that has just popped-up is not in the windows switcher, it
should be a fake
window"? If we assume that the regular user is not concerned about security to
apply updates, why should we assume that they would care to look at the windows
switcher.

>
> This concept is completely foreign to regular users and I doubt it could
> be something that could be relied upon. "Did you _do_ something for the
> password prompt to be displayed?" is not a question most users would be
> able to answer.
>

If you really think that regular users can not understand the simple
security procedures,
 we are hopeless. In this case, some kind of automatic update is the only way.


> The whole "pop-ups aren't secure" argument sounds like an attempt to use
> security as justification to revert back to the previous behaviour. The
> problem is the previous behaviour isn't secure.
>

No, it is not. But you will have to take my word for that as you can
not get into my mind :-)
I don't care anymore, I just switch to the old behavior (and if it
becomes unavailable I'll just hack a simple script to email me when
there are updates available
and I'll turn off update-manager forever).

But for me the best selling point for Linux is that it is much more
secure than windows. I usually use the mantra "Imagine not having to
be paranoid about virus all the time"? It really sounds a bad idea to
have a easy and potential security risk just waiting to happen. I do
think that this can hurt Linux profile bad.

Anyhow, I don't have anything to add to this discussion. I hope our
concerns are taken into account by the proper people.

Paulo

-- 
Paulo José da Silva e Silva
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil

e-mail: pjssilva@xxxxxxxxxx         Web: http://www.ime.usp.br/~pjssilva