unity-design team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On Sun, 2010-04-25 at 19:28 -0300, Paulo J. S. Silva wrote:
> > Option #1: Display an icon in the notification area that nobody clicks,
> > as a result security updates never get installed and system is
> > compromised from the lack of important security updates.
> >
> > Option #2: Pop-up the update dialog demanding attention, most users
> > click to install the important updates and system is secure as system
> > security updates are always applied.
> >
> 
> I don't see why there are only two options. There are more. For
> example, I am favorable to prompt the user when logging out or some
> other moment that we can predict that the user is "closing the day"
> for updates. Actually, I am one of the few that would favor applying
> the
> security updates by default (but leaving an easy way to turn it off).
> I don't believe we can find
> a way to make sure the user will apply the updates if he/she has to
> don anything. I know
> that my mother, mother-in-law, sister-in-law, and other family members
> never apply
> the updates (they use windows). They are simply afraid of the window
> that pops-up.
> Usually when I go to their place I usually sit on the computer and
> apply the updates myself.
> However I know that this is a dangerous move as the user may have a
> non-functional computer after an update failure and since it was
> automatic he/she may not even know that an update took place.

I think installing security updates automatically may be the only way to
get them installed for people who are afraid of the pop-ups.

> 
> I do believe that the best balance would be to prompt the user in
> specific moments (log-out, before suspend/lock) with a dialog that has
> as default option to apply the updates. The tricky part here is that
> many people are just leaving their computer on all the time and they
> are not there when the computer sleeps or lock screen to confirm the
> update.
> 
> Actually I got a proposal: present the update dialog at
> log-out/automatic suspend/lock-screen. The user can ignore (for
> example if he/she is not there). If the user ignores it for more than
> a certain amount of time (for example a week) present a notification
> at login/awake/unlock that the system will apply the security update
> at next log-out/etc (or that the user can apply it right away if
> he/she wants).
> 

I think this is sure-fire way to make sure the updates _never_ get
installed. On laptops, when people want to turn off or suspend, they
want it to do so immediately, not after 10 minutes of security updates.
I'm pretty sure the success rate of this type of prompt would be even
lower than the blinking notification area.

> > Side effect of Option #2: Some users may get fooled into typing their
> > password into a fake update-manager dialog inside a web page. So...what
> > does a web page do with the user's password once it's obtained? Not
> > much, as there shouldn't be much to do with it anyway if there is no
> > malware installed on the computer. A desktop computer should _not_ be
> > accessible from the Internet with a user's password.
> >
> 
> You got a point here. All my systems have sshd enabled.
> 
> > >From a security point of vue, option #2 is a _lot_ safer.
> 
> As you know, many people use the same password for many things.

I completely agree that a lot of people use the same password for many
things. Preventing web applications from spoofing the security update
dialog box still won't prevent web applications from spoofing any other
authentication dialog, whether it be facebook, or their on-line banking
site. Phishing is a technique that works, and it's when users take a
specific action (clicking a link). Again, I honestly don't think users
are able to tell the difference in security between something they've
asked for (clicking on a tray icon, or clicking a phishing link in an
email), and something that popped up automatically.

> 
> >
> > This concept is completely foreign to regular users and I doubt it could
> > be something that could be relied upon. "Did you _do_ something for the
> > password prompt to be displayed?" is not a question most users would be
> > able to answer.
> >
> 
> If you really think that regular users can not understand the simple
> security procedures,
>  we are hopeless. In this case, some kind of automatic update is the only way.

Maybe it would make sense to have a "Install updates automatically in
the future" check box in the updates dialog to make it easier to enable
this?


> 
> > The whole "pop-ups aren't secure" argument sounds like an attempt to use
> > security as justification to revert back to the previous behaviour. The
> > problem is the previous behaviour isn't secure.
> >
> 
> No, it is not. But you will have to take my word for that as you can
> not get into my mind :-)
> I don't care anymore, I just switch to the old behavior (and if it
> becomes unavailable I'll just hack a simple script to email me when
> there are updates available
> and I'll turn off update-manager forever).

Ah, so do _you_ switch to the old behavior because you don't like the
the pop-up, or because you can't tell the difference between a spoofed
update manager window in a web page and the real update manager?

> 
> But for me the best selling point for Linux is that it is much more
> secure than windows. I usually use the mantra "Imagine not having to
> be paranoid about virus all the time"? It really sounds a bad idea to
> have a easy and potential security risk just waiting to happen. I do
> think that this can hurt Linux profile bad.

Having a few people get fooled by a fake dialog box will probably hurt
Linux a lot less than having Linux users be infected with malware
because no one is installing security updates...

Marc.