unity-design team mailing list archive

["Paulo J. S. Silva" <pjssilva@xxxxxxxxx>]

> I think installing security updates automatically may be the only way to
> get them installed for people who are afraid of the pop-ups.
>

I agree.

>>
>> I do believe that the best balance would be to prompt the user in
>> specific moments (log-out, before suspend/lock) with a dialog that has
>> as default option to apply the updates. The tricky part here is that
>> many people are just leaving their computer on all the time and they
>> are not there when the computer sleeps or lock screen to confirm the
>> update.
>>
>> Actually I got a proposal: present the update dialog at
>> log-out/automatic suspend/lock-screen. The user can ignore (for
>> example if he/she is not there). If the user ignores it for more than
>> a certain amount of time (for example a week) present a notification
>> at login/awake/unlock that the system will apply the security update
>> at next log-out/etc (or that the user can apply it right away if
>> he/she wants).
>>
>
> I think this is sure-fire way to make sure the updates _never_ get
> installed. On laptops, when people want to turn off or suspend, they
> want it to do so immediately, not after 10 minutes of security updates.
> I'm pretty sure the success rate of this type of prompt would be even
> lower than the blinking notification area.
>

That is why I said that at least at first that should be no automatic
updates, but only after some time. I would also prompt the user that
the updates are present at login/resume. And Considering what you just
said it may be interesting to consider automatic updates at login (and
in the background so that the user can do what he wanted when he/she
turned on the computer).

> I completely agree that a lot of people use the same password for many
> things. Preventing web applications from spoofing the security update
> dialog box still won't prevent web applications from spoofing any other
> authentication dialog, whether it be facebook, or their on-line banking
> site. Phishing is a technique that works, and it's when users take a
> specific action (clicking a link). Again, I honestly don't think users
> are able to tell the difference in security between something they've
> asked for (clicking on a tray icon, or clicking a phishing link in an
> email), and something that popped up automatically.
>

But in that case the problem lies on the application/web site that is
being spoofed. If
facebook is using asynchronous login it is their problem. But Ubuntu
is using asynchronous passwords prompts, so this is Ubuntu's community
problem.

>> If you really think that regular users can not understand the simple
>> security procedures,
>>  we are hopeless. In this case, some kind of automatic update is the only way.
>
> Maybe it would make sense to have a "Install updates automatically in
> the future" check box in the updates dialog to make it easier to enable
> this?
>

That sounds good to me.

>> No, it is not. But you will have to take my word for that as you can
>> not get into my mind :-)
>> I don't care anymore, I just switch to the old behavior (and if it
>> becomes unavailable I'll just hack a simple script to email me when
>> there are updates available
>> and I'll turn off update-manager forever).
>
> Ah, so do _you_ switch to the old behavior because you don't like the
> the pop-up, or because you can't tell the difference between a spoofed
> update manager window in a web page and the real update manager?

At first, I turned it off because I thought it was annoying. Now, I
try to convince my friends that use Linux (and some use it due to me)
to turn it off because it is dangerous. I would never turn it on again
in my computers because I know I don't want to get used to give my
password to pop-up/under windows that can be spoofed.

>>
>> But for me the best selling point for Linux is that it is much more
>> secure than windows. I usually use the mantra "Imagine not having to
>> be paranoid about virus all the time"? It really sounds a bad idea to
>> have a easy and potential security risk just waiting to happen. I do
>> think that this can hurt Linux profile bad.
>
> Having a few people get fooled by a fake dialog box will probably hurt
> Linux a lot less than having Linux users be infected with malware
> because no one is installing security updates...

Even better is to find out a away to make users do their updates
without making them get used to behaviors that are also security
risks. Just think a little, you are already admitting that some people
can get fooled. So you are accepting that getting the user used to
give up his password for asynchronous windows is risky. This sounds
bad to me.

Just remember that any security conscious business always tell its
client not to give their passwords to asynchronous requests. See the
bank example or web stores. They never send you an email or call you
asking for your password. They advertise that to their customers and
say explicitly that you should delete any message that ask for you
password or other credential (I know that my bank does it, actually
every single time I login in their web system they present a message
saying just that). There is a reason for this, I hope Ubuntu does not
ignore it.

Paulo
-- 
Paulo José da Silva e Silva
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil

e-mail: pjssilva@xxxxxxxxxx         Web: http://www.ime.usp.br/~pjssilva