At 10:10 AM -0500 3/9/04, Kenneth R. van Wyk wrote: >So why do I feel that this is a Secure Coding issue and not (just) an OS >security issue for Full-Disclosure and similar groups to discuss? IMHO, the >issues that we're dealing with get straight to the heart of the design of the >desktop environments that are being deployed. Sure, Linux has grown up with >an arguably better separation of administrative and desktop users from day >one, but even just a user-level email worm can be pretty frustrating (in case >you haven't noticed from the size of your inbox in the last month or so).
It really is not a matter of secure coding, but rather of secure design. >Case in point, I just got KDE 3.2 on my PC over the weekend (thanks to the >Debian-Sid distribution), and I'm seeing the email/PIM environment appearing >more and more like Outlook. I can open an email attachment straight into its >respective app with just 2 clicks of the mouse (although that's actually been >possible for some time). That's not to say that doing so is a good idea, but give >the common desktop user the _opportunity_ and... To secure a machine from malware introduced by a naive user it is required that naive users not have the privilege to introduce software that can be executed by them or by other naive users.
