Re: security policy / root passwords

[Robert Holtzman]

On Mon, Jun 10, 2013 at 08:04:27AM +0800, Chow Loong Jin wrote:
> On Sun, Jun 09, 2013 at 01:06:40PM -0700, Robert Holtzman wrote:
> > [...]
> > In my gross stupidity this seems like a nonissue. How does a popup
> > asking for your root p/w differ from using the CLI, typing "su" and
> > being asked for the root p/w? I'm assuming that the popup was in
> > connection with a command (GUI) that legitimately would require root
> > privileges. A popup from a CLI command would wave a red flag.
> 
> Typing in your root p/w in a prompt on the CLI is manually initiated -- you 
> run
> a command that you know will prompt you for a password, and it prompts you.
>

That's what I said.
 
> Having a random popup in your face asking you for your password, with the 
> reason
> for its appearance not always immediately clear, could be bad because you 
> would
> then be desensitizing yourself to password prompts, and on one fine morning
> before the caffeine, you might just accidentally type your password into a
> malicious prompt that you didn't verify beforehand.

Exactly right.

-- 
Bob Holtzman
If you think you're getting free lunch, 
check the price of the beer.
Key ID: 8D549279


signature.asc
Description: Digital signature

Re: security policy / root passwords

[Robert Holtzman]

On Sun, Jun 09, 2013 at 07:20:16PM +0200, Michael Banck wrote:
> On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote:
> > There have been multiple complaints about the new Gnome popup asking
> > for the root password
> 
> I am not sure what you are complaining about - that you need to specify
> the root password to install packages, or that gnome requests additional
> packages to support your phone?
> 
> > I opened a bug for discussion about the issue,
> 
> You opened a release critical bug, that's a weird way of starting a
> "discussion".
> 
> > Essentially, my feeling is that users should be encouraged to NEVER put
> > their root password into some popup that appears spontaneously on their
> > computer.  Having this popup in Debian, by default, desensitizes users
> > to the type of popups that will aim to deceive them.
> > 
> > If you look at the Wikipedia page about phishing[2], teaching users not
> > to trust random requests for information is the top strategy.  This
> > popup undermines attempts to train users to think that way.
> > 
> > A phishing attack doesn't even need to replicate the popup perfectly:
> > the attacker is simply aiming to fool some random percentage of users.
> > He doesn't need to trick every user every time.
> > 
> > What does the most damage is simply the fact that users come to accept
> > that such popups are normal and potentially trustworthy.
> > 
> > Is there any policy within Debian about such matters, particularly for
> > packages that are a default part of the distribution?  Is it too late to
> > remove this popup from wheezy?
> 
> I think the best approach would be sudo and requesting the user for
> their own password - and probably be more informative about why the
> password is needed or what is being installed.
> 
> The latter is quite certainly too late to be changed in wheezy, the
> former possibly as well.  However, now is the time to make sure this is
> going to be fixed for jessie.

In my gross stupidity this seems like a nonissue. How does a popup
asking for your root p/w differ from using the CLI, typing "su" and
being asked for the root p/w? I'm assuming that the popup was in
connection with a command (GUI) that legitimately would require root
privileges. A popup from a CLI command would wave a red flag.

-- 
Bob Holtzman
If you think you're getting free lunch, 
check the price of the beer.
Key ID: 8D549279


signature.asc
Description: Digital signature