Re: Untrusted software and security click-through warnings
Hi Maybe i found a solution for this problem: Am Dienstag, den 16.10.2007, 15:48 +0100 schrieb Ian Jackson: Alexander Sack writes (Re: Untrusted software and security click-through warnings): I completely agree. My point is: if captchas don't help then why would pasting commands from the net help to get the user think about the risk their actions imply? The point is pasting random commands from the net is inherently more scary than saying `yes' a few times. Although we cannot save all of our users, we can save that proportion of them who are likely to hesitate when a website says something like please type `wget thingy | sudo bash'. If you have a concrete suggestion for an approach which is likely to save _in practice_ a greater proportion of our users, please do suggest it. Users need more features than ubuntu is offering (uncommon hardware, non-ubuntu software). We would need several approaches: - Add more features to ubuntu. Stuff many people are looking for should be implemented first. A good list are pages like: http://ubuntuguide.org/wiki/Ubuntu:Feisty - If there are only a few people who need some commands to fix a problem, it would be possible to sign this commands by creating a small script and add this to the official repository. Afterwards the user has only to call sudo apt-get solve_problem237 and sudo solve237. The pages should only offer these commands as a help. Additional positive effect: Newbies can not botch. an own repository for this would be wise, I think Maybe this _could_ work. Thorsten -- Thorsten Sick [EMAIL PROTECTED] signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
On Tue, Oct 16, 2007 at 10:40:46PM +1300, Matthew Paul Thomas wrote: On Oct 16, 2007, at 6:08 AM, Alexander Sack wrote: how about using a captcha-like mechanism to trigger this decisionmaking process? ... For example, have the computer specify that the user must type either twice or backward -- that choice being presented at random -- a word displayed, also chosen randomly, in the dialog box. Requiring this kind of confirmation is as draconian as it is futile ... Such measures also create a new locus of attention; the user is not attending to the correctness of their prior response, thus frustrating the purposes of both the confirmation and the user. No method of confirming intent is perfect ... If the rationale for performing an irreversible act was flawed from the outset, no warning or confirmation method can prevent the user from making a mistake. I completely agree. My point is: if captchas don't help then why would pasting commands from the net help to get the user think about the risk their actions imply? My opinion is clearly that we should come up with a decent and standardized way to add third party applications that we can actually _control_ and design in a way that at least gives our users a chance to educate themselves before taking any action. If you just ignore the demand to install third party applications from third party repositories you will likely train our user-base to just google the internet and follow arbitrary instructions they find - which can't be what we want. - Alexander -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
Alexander Sack writes (Re: Untrusted software and security click-through warnings): how about using a captcha-like mechanism to trigger this decisionmaking process? I assume this is some kind of joke but I'm afraid I don't get it. Ian. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
Alexander Sack writes (Re: Untrusted software and security click-through warnings): I completely agree. My point is: if captchas don't help then why would pasting commands from the net help to get the user think about the risk their actions imply? The point is pasting random commands from the net is inherently more scary than saying `yes' a few times. Although we cannot save all of our users, we can save that proportion of them who are likely to hesitate when a website says something like please type `wget thingy | sudo bash'. If you have a concrete suggestion for an approach which is likely to save _in practice_ a greater proportion of our users, please do suggest it. My opinion is clearly that we should come up with a decent and standardized way to add third party applications that we can actually _control_ and design in a way that at least gives our users a chance to educate themselves before taking any action. Absolutely. If we can't provide a sensible way for a users to accomplish their task, we train them to accomplish it in an insane way. So the removal of dangerous features which we have currently ineffectually protected by yes, yes, yes style confirmations should go hand-in-hand with the provision of sensible ways of achieving the same objectives. For tasks which involve third-party software this involves some kind of accreditation/approval process. If you just ignore the demand to install third party applications from third party repositories you will likely train our user-base to just google the internet and follow arbitrary instructions they find - which can't be what we want. Absolutely. Ian. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
I completely agree with Ian: let's just get rid of GDebi Co. installed by default, thus requiring the users to copy/paste commands to a console. This is IMHO the best warning we can provide, and daring/being able to start a console and do this is already a check of the user will and capacity at the same time. Now, as Alexander says, we must provide easy ways to install missing packages that are approved by Ubuntu. Else we will only be boring users when they install a normal system. We need a list of all reasonably needed packages to make a standard Desktop run (encrypted DVDs, drivers, backports...) and of known trustable repositories. What I like in Ubuntu, it's that constantly new outlooks emerge to create completely new designs that will be fit to the Desktop for a long time. With upstart it was great; today, we are concerned about what we will become when Ubuntu is the first OS used in the word. That's what we need to think of, and that's no joke! ;-) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
João Pinto writes (Re: Untrusted software and security click-through warnings): 2 - fake software, or companion software ... Case 2 can only be addressed by educating people on how to use the internet on a safely manner, again, typing random commands from an untrusted web site is a major security risk for any OS, and it is a very common practice for Linux users in particular At the moment a user can unwittingly compromise their system just by clicking on one thing on a website and then saying `yes' a few times. What I'm suggesting is that if they want to do that they should be required to do something a little more complicated which is more likely to trigger an actual decisionmaking process. Like, for example, typing random commands they found on a webpage. I don't know if you've seen many naive users in front of computers but websites that ask them to type runes in when the user was trying to get some other work done will generally cause the user to smell a rat, in a way that something which requires them to say `next' four times doesn't at all. Ian. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
I don't think it'd hurt if we had a warning in gdebi when installing a .deb not from or signed by the Ubuntu Archive key, to the likeness of Installing packages not from Ubuntu repositories can introduce software bugs, upgrade conflicts, or security vulnerabilities. Make sure you trust the origin of this package Of course, I think most people will click through that anyway, but at least then we can't say we didn't try. On Mon, Oct 15, 2007 at 05:31:23PM +0100, Ian Jackson wrote: What I'm suggesting is that if they want to do that they should be required to do something a little more complicated which is more likely to trigger an actual decisionmaking process. Like, for example, typing random commands they found on a webpage. Ian. signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
On Mon, Oct 15, 2007 at 07:08:45PM +0200, Alexander Sack wrote: how about using a captcha-like mechanism to trigger this decisionmaking process? - Alexander In order to install this package, you need to demonstrate your ability to make sound decisions: (1) Please click the term of the following equation that represents the Maxwell Correction of Ampere's loop law: The [Divergence of the magnetic field] is equal to the [permittivity times the charge density] plus the [the partial time derivative of the electric field times a constant] (2) When Compiz by default was deferred from Feisty, did you cry? [Yes] [No] (3) How do you install VLC Media Player? [A] VLC Media Player permits playback of patent encumbered non-free audio formats and is a moral sin to even consider installing. [B] Double-click Automatix, choose Media Player and Editors, then check VLC Media Player and press the orange Start button. :) signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
More seriously, I don't think it's a good idea to force the user to intake a warning by locking out the UI until the user performs some magic unlock sequence dictated by the warning (such as a CAPTCHA). It is cumbersome and inconvenient to the user, and most like the user would just grumble and direct his attention at completing the test, not spending any time looking at the warning. The maximum level of warning I'd be comfortable with is for gdebi to show a bold red warning that the package is not signed by the official Ubuntu Archive key, like the one I suggested earlier. Any additional popup dialogs or user interaction would be nuisances. John On Mon, Oct 15, 2007 at 01:23:58PM -0400, jdong wrote: In order to install this package, you need to demonstrate your ability to make sound decisions: (1) Please click the term of the following equation that represents the Maxwell Correction of Ampere's loop law: The [Divergence of the magnetic field] is equal to the [permittivity times the charge density] plus the [the partial time derivative of the electric field times a constant] (2) When Compiz by default was deferred from Feisty, did you cry? [Yes] [No] (3) How do you install VLC Media Player? [A] VLC Media Player permits playback of patent encumbered non-free audio formats and is a moral sin to even consider installing. [B] Double-click Automatix, choose Media Player and Editors, then check VLC Media Player and press the orange Start button. :) signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Oct 16, 2007 at 03:08:45AM EST, Alexander Sack wrote: how about using a captcha-like mechanism to trigger this decisionmaking process? Sorry, but this has accessibility implications, unless its totally viewable by the GNOME accessibility framework, i.e no images. - -- Luke Yelavich GPG key: 0xD06320CE (http://www.themuso.com/themuso-gpg-key.txt) Email MSN: [EMAIL PROTECTED] Jabber: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHE+k6jVefwtBjIM4RAln5AKDtE2pFJObWnAwIL2XaFa8hR6Rn7QCgzmdj Y8I4fgy6vyyzViJfNJ8qDGY= =GxhD -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
I taught we were talking about users which are expected to understand what is a software repository or what is a software install package, the security improvement would be for those users, to make sure they would understand the risks of using such resources. In my opinion for users which do have the trivial understanding of software installation on the system, the only safe approach is to not grant them admin privileges at all. I guess the goal is not to discourage users from downloading software of the Web in general, the goal is to drive the users to install software from trusted sources. Both repositories and web sites can be trusted or untrusted sources. The option of providing an installer dialog to present the users to the basic rules of security when dealing with system software installation was oriented for those which (I hope) are the minority of users which still do not understand the risks of installing software from random sources, probably it is not a feature that would make a difference for most users. The major source of spyware/virus/trojans has been: 1 - exploits which allow the unattended installation of software 2 - fake software, or companion software Case 1 can only be addressed by providing security fixes in time in case such exploits are discovered Case 2 can only be addressed by educating people on how to use the internet on a safely manner, again, typing random commands from an untrusted web site is a major security risk for any OS, and it is a very common practice for Linux users in particular Best regards, 2007/10/2, Matthew Paul Thomas [EMAIL PROTECTED]: On Oct 2, 2007, at 11:51 AM, João Pinto wrote: ... If PPAs availability increases there will be nasty people providing nasty packages, if you are concerned about naive users, then my first suggestion is to present an initial screen during Ubuntu install with: If you add extra repositories or install .debs from the web, please make sure you are using a trusted source, otherwise you may get malicious software, if it is important enough, let's make it hard to accept, it is a simple text o read (1 line), there is no excuse for next - next. ... Regardless of whether you think there is any excuse for next - next, most people would still do it, and wouldn't read the message. Even if they did read the message, most wouldn't have a clue what you meant by repositories, .debs, or trusted source. And even if they did understand the message, it could be weeks, months, or years later that they first had the opportunity to download software from the Web. Quite long enough to forget that they shouldn't be doing it. If you want to discourage people from downloading software off the Web, an operating system installer is hardly the place to do it. Cheers -- Matthew Paul Thomas http://mpt.net.nz/ -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- João Pinto GetDeb Package Builder http://www.getdeb.net -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
Ian, in my opinion there is a major flaw on your assumptions. If someone is looking for an application X and find a site with: To get this application just open a terminal and type: Please type: wget -O - http://best.forubuntu.com | sh . Trust me, a naive user will just do it, a power user which trusts that site, will also do it, maybe, but just maybe it will analyze the page contents. The issue here is not about the technical process involved, it is about trust. If you believe that making software installation more restrictive for such users will improve security. I believe It will fail. If PPAs availability increases there will be nasty people providing nasty packages, if you are concerned about naive users, then my first suggestion is to present an initial screen during Ubuntu install with: If you add extra repositories or install .debs from the web, please make sure you are using a trusted source, otherwise you may get malicious software, if it is important enough, let's make it hard to accept, it is a simple text o read (1 line), there is no excuse for next - next. If the system will be used by other people, then it is his responsibility of the system administrator (installer) to pass the message or to configure the system on a safely manner (by not providing admin membership). The current main benefits of using trusted repositories are for those which are security aware, naive users do actually press Install regardless of the warning on potential malicious software caused by missing GPG signatures. Using trusted repositories provides an higher level of security, it does not enforce it, it is user's choice to enforce it. Now let me write a bit about the getdeb project. We are probably one of the youngest and major 3rd party software providers for Ubuntu, composed by a small team of Ubuntu/Debian and/or generic Linux and Open Source supporters. We do not use an APT repository because the tools required to provide software, using an easy and presentation extensible technology, with server side mirrors selection (for load balance and fail over) are not yet production ready. The ability to install applications from a browser using APT will be introduced in Gutsy, (apt url handler, and gapti) still they do not cover some of our usability concerns, the apt dynamic mirrors selection feature is still not fully implemented and needs more testing. On our specific case APT is strong requirement, we are providing 5000 packages and 100GBs of data per day. Our current success comes from the fact to we server both type of users, naive users which just need some new software and some newer version to support their latest gadget, or their latest web service, and power users, which have the skills to build from source packages but which do not have enough time to read the install instructions and install all the development packages for every software that they may need. Summarizing, I agree with you that it is our responsibility (Ubuntu community in general) to provide a safe computing environment, however in my humble opinion those should be pursued with user's education and meeting reasonable user's needs, and not just by adopting a make it harder sense of security for software installation. We can continue to discuss about getdeb, that would be something for another thread, my objective here was just to present my personal point of view regard your comments. Getdeb is presented as an example of a 3rd party software provider. We could not have a contractual obligation with Canonical because we are not a legal entity. Best regards, 2007/10/1, Ian Jackson [EMAIL PROTECTED]: João Pinto writes (RE: Untrusted software and security click-through warnings): I agree with some of your points, but not with others, anyway your note was a notification, not a request for comments. On the contrary: I'm not the person in Ubuntu who will make this decision. A policy matter like this one ought to be taken by the Technical Board. I was expressing my personal opinion. So, thanks for your reply and please do feel free to comment in detail. I'd be happy to talk about your project. ubuntu-devel-discuss would probably be the right list and I have set the Reply-To. Regards, Ian. -- João Pinto GetDeb Package Builder http://www.getdeb.net -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Untrusted software and security click-through warnings
On Oct 2, 2007, at 11:51 AM, João Pinto wrote: ... If PPAs availability increases there will be nasty people providing nasty packages, if you are concerned about naive users, then my first suggestion is to present an initial screen during Ubuntu install with: If you add extra repositories or install .debs from the web, please make sure you are using a trusted source, otherwise you may get malicious software, if it is important enough, let's make it hard to accept, it is a simple text o read (1 line), there is no excuse for next - next. ... Regardless of whether you think there is any excuse for next - next, most people would still do it, and wouldn't read the message. Even if they did read the message, most wouldn't have a clue what you meant by repositories, .debs, or trusted source. And even if they did understand the message, it could be weeks, months, or years later that they first had the opportunity to download software from the Web. Quite long enough to forget that they shouldn't be doing it. If you want to discourage people from downloading software off the Web, an operating system installer is hardly the place to do it. Cheers -- Matthew Paul Thomas http://mpt.net.nz/ PGP.sig Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss