On Sun, Jun 09, 2013 at 07:20:16PM +0200, Michael Banck wrote:
> On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote:
> > There have been multiple complaints about the new Gnome popup asking
> > for the root password
>
> I am not sure what you are complaining about - that you need to specify
> the root password to install packages, or that gnome requests additional
> packages to support your phone?
>
> > I opened a bug for discussion about the issue,
>
> You opened a release critical bug, that's a weird way of starting a
> "discussion".
>
> > Essentially, my feeling is that users should be encouraged to NEVER put
> > their root password into some popup that appears spontaneously on their
> > computer. Having this popup in Debian, by default, desensitizes users
> > to the type of popups that will aim to deceive them.
> >
> > If you look at the Wikipedia page about phishing[2], teaching users not
> > to trust random requests for information is the top strategy. This
> > popup undermines attempts to train users to think that way.
> >
> > A phishing attack doesn't even need to replicate the popup perfectly:
> > the attacker is simply aiming to fool some random percentage of users.
> > He doesn't need to trick every user every time.
> >
> > What does the most damage is simply the fact that users come to accept
> > that such popups are normal and potentially trustworthy.
> >
> > Is there any policy within Debian about such matters, particularly for
> > packages that are a default part of the distribution? Is it too late to
> > remove this popup from wheezy?
>
> I think the best approach would be sudo and requesting the user for
> their own password - and probably be more informative about why the
> password is needed or what is being installed.
>
> The latter is quite certainly too late to be changed in wheezy, the
> former possibly as well. However, now is the time to make sure this is
> going to be fixed for jessie.
In my gross stupidity this seems like a nonissue. How does a popup
asking for your root p/w differ from using the CLI, typing "su" and
being asked for the root p/w? I'm assuming that the popup was in
connection with a command (GUI) that legitimately would require root
privileges. A popup from a CLI command would wave a red flag.
--
Bob Holtzman
If you think you're getting free lunch,
check the price of the beer.
Key ID: 8D549279
signature.asc
Description: Digital signature