On Tue, Jun 16, 2009 at 1:00 PM, Vincenzo Ciancia <cian...@di.unipi.it>wrote:
> On 16/06/2009 mac_v wrote: > >> In no way the system should decide what windows it can open... >> If this is allowed it is only a matter of time before someone develops a >> worm which uses this behavior and pops-up a window similar to the update >> manager which also asks for the user password allowing the worm to take >> control of the system using this password info. >> *Is ubuntu only going to realize this security risk after someone* >> *develops a proof of concept worm or a real virus* ? >> If this is done linux will no longer be THE secure OS. >> All windows in the window list should only be triggered by the user, all >> other system process should only trigger a notification. >> > > > Do you think it is easy to design a webpage that simulates such a "password > fraud"? I see a difficulty here due to having to dim the whole screen to > look like the standard password request, not that an user would not enter it > in any kind of pop-up. > > On the other hand, I have an idea for a secure way to ask for user input. > In the installer, the user choses her own password, and the "secret phrase" > which will be written in a root-only accessible file. This sentece will be > shown to the user by the system when a password is asked and will > autenticate the system with the user. The user should then be instructed not > to enter his own password unless the right phrase is seen. A random phrase > may be suggested automatically from a huge list A few websites use a similar trick and display a custom image which the user chooses. I think it's a bit of a better solution than using a phrase, because people are more likely to notice if it changes. -Natan
_______________________________________________ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp