-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paulo J. S. Silva wrote on 14/12/09 15:10: >... > OK, let me get this straight. Are you saying that all pop-up windows > that appear to you in your browser have the window decorations around > it?
Yes. > Could you please visit: > > http://www.popup-killer-review.com/windowless-swf.htm > > This show that it is possible to add a flash application on top of a > web-page without any decorations.Given enough skill it ca have the > right look, doesn't it? Yes, though it's still inside a browser window with a browser window frame. This is not new: banner ads have been imitating Windows error messages for over a decade. > I do know any flash, so it would take quite > some effort to create an example myself, but I think it is clear that > what I talking about can be accomplished through flash. Yes, but that's true for any window where the user is using the default theme. It has nothing particularly to do with Update Manager. You could cut out the middle-man and imitate a PolicyKit alert directly. You could imitate an Empathy IM window that pretends to be a forgotten classmate organizing a reunion and wanting your contact details. Or you could cut to the chase and ask for profitable info directly: <http://www.sharenator.com/Has_Your_Credit_Card_Number_Been_STOLEN_On_The_Internet/> The only realistic defence I can think of against this would be to randomize the theme used by each Ubuntu user, and to neuter the browser's CSS System Colors implementation so that Web authors could not tell what the theme was. That way, faked windows would almost always look wrong. >> As I wrote in <http://launchpad.net/bugs/332945>: "...assuming that >> people will see a window that looks like the updates window, and >> behaves like the updates window, but be able to tell that it's fake >> solely because it opened automatically. I think that's quite >> unrealistic, because it would require a much better memory for past >> actions than people usually have. For example, if you open Update >> Manager yourself but get a phone call and have to switch to another >> task in a hurry, and don't return to Update Manager until the next >> day, you may have no memory of opening it the previous day. >> (Expecting people to then close it and reopen it, *just in case* the >> already-open instance was a fake one, would be even less realistic.)" > > OK. This is true, given a sufficiently convoluted scenario the user > may forget that he has called the update-manager or not once he goes > back to the computer. However this is not the most likely scenario. > Most likely the user will be there using the computer when a malicious > window pops up in the middle of the web page (probably he will be > browsing and have recently moved to the malicious page where the > pop-up lives). Then he can think: "weird, I do not remember calling > update-manager (or any other adminstration window)". In the current > state of affairs the user thinks "Here goes update-manager again...". > So even though not having the pop-up behavior in administrative tasks > would help us explain to user how to behave when they see weird > pop-ups in their computers. >... So, we disagree on how convoluted the scenario is. :-) Maybe I'm biased by having a job where interruptions are common. Cheers - -- Matthew Paul Thomas http://mpt.net.nz/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksnR9MACgkQ6PUxNfU6ecoKqgCfUU02I/RsadnoQoNMDlzrFz0Z YYsAn2lFcYVpNkR2c025BJ/a1bun0HqD =lOyU -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~ayatana Post to : [email protected] Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
