Re: security policy / root passwords
On 11/06/13 00:37, Jens Roder wrote: Hello, just like to add that today this feature with the popup blocked my gnome within the suspend procedure, which I did not see but got a hot running laptop in the bag. When I opened the laptop again I saw the problem and when clicking on cancel, the laptop finally when to suspend. That could explain one or more of the hot laptop experiences I had before - I had assumed the power management or kernel was at fault, although in my case it was so hot that it was unresponsive and I never found out what really caused it: http://lists.debian.org/debian-devel/2013/03/msg00487.html If that is the case, then it provides more reason to disable the popup by default in stable I think, just naming something a feature belongs more to microsoft behavior and shouldn't be copied in the linux world. A few things maybe useful but not for all people. Giving people the choice is the main point here. Whether you create a package that configures all with the funny new features and leave it to the user, if he wants this configuration or just uninstalls it to have a more conservative behavior for server setups. I think it is a big mistake to design desktops with similar behaviors like one knows from the windows world. Most popup do not make any sense and interrupt people by working. Upcoming programs stealing the mouse, refocus, or resize are just annoying when writing a document. The new gnome 3 desktop is nice, except it goes snow when too many windows are open (for a CTWM no problem) or it blocks the desktop switching because flashplayer freezes and gnome3 cannot access the graphics of the window. Nice features but cause serious problem, similar like this uninforming root password question and blocking the screen for wlan passwords. There is no need to block the screen as it can accidently pop up while writing a document and one would like to finish the sentence before typing a password. Such things come with force, rather than with the option of action which is a more elegant design. And another final problem are program menus which grap the mouse and when the program freezes, there is no way to release the mouse again execpt going out of X and into the consoles to kill the process. Recently skype's technical information window did not vanish. From gome menu I chose close window what it then did, but it took all with it and did freeze the desktop, even CTRL+ALT+F1 did not work to go out. Was a reboot and not nice I suggest to create window managers more independent from programs in order to increase stabilization. Also even when configured strict mouse behavior, the new upcoming program first graps the mouse and when moving it over the next window, it does not follow, here one has to click, after all is fine. I really suggest, give people more choice to configure things like they like or they are used to. X window system and window manager together have really nice features, just try not to make it like microsoft windows. I've also seen another laptop that is on the fringe of a wifi coverage zone getting into a bad state where multiple copies of the wifi password window appear - if the laptop is unattended for a few hours, you can come back to it and find 1,000s of those popups and it is unusable. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b6de48.4020...@pocock.com.au
Re: security policy / root passwords
On 11/06/13 01:11, Michael Banck wrote: Hi Daniel, On Mon, Jun 10, 2013 at 09:24:39PM +0200, Daniel Pocock wrote: Every copy of jessie could be distributed with one of the red hoods referred to in this article: http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance I presume it has some kind of electromagnetic shielding too. Please keep it on topic. The intention of this topic was to get people thinking about how/when they enter their root password - and there are a range of risks and solutions, such as checking the machine for hardware key loggers or not putting their password into popups under any circumstances - and for the more concerned users, the red hood (ignoring everything else in the URL above), smart cards and other options are an extension of this topic. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b6e001.7010...@pocock.com.au
Re: security policy / root passwords
On Tue, Jun 11, 2013 at 10:22:32AM +0200, Daniel Pocock wrote: [...] I've also seen another laptop that is on the fringe of a wifi coverage zone getting into a bad state where multiple copies of the wifi password window appear - if the laptop is unattended for a few hours, you can come back to it and find 1,000s of those popups and it is unusable. Oh I've noticed that too. When that happens I just kill nm-applet. I really wish NetworkManager would keep track of how many password prompt windows it opens. Most of the time I come back to several of those popups and notice that the network has re-established itself already -- the popups were irrelevant. -- Kind regards, Loong Jin signature.asc Description: Digital signature
Re: Re: security policy / root passwords
Am 10.06.2013 11:10, schrieb Josselin Mouette: What is new is that PackageKit asks for a system update *systematically* when it finds the system is not up-to-date. I don’t know why, but it seems to have started with the wheezy release, it did not happen during the freeze. When I first got that message I was also concerned, because I thought my system wasn't set up to update packages automatically. Then I checked and it turned out it was set up to only do security updates by itself, which obviously didn't exist before the release. The problem was not that there was a password prompt, but that it didn't give me any information whatsoever, just Enter the password to update packages. If it would have shown me what packages it wants to update and/or a small link to more information (where to configure automatic updates), that experience would have been much nicer. Cheers, Tobias -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b7a4bd.4040...@debian.org
Re: security policy / root passwords
On Sun, Jun 09, 2013 at 07:41:34PM +0200, Daniel Pocock wrote: My feeling is that the user should be told go and run sudo or su in a terminal window you opened manually Otherwise, they can't be sure they are putting their password in a genuine Debian popup. Please explain your threat model. From the discussion I am assuming that it looks somewhat like this: The attacker already has the privilege to execute arbitrary code as the user account and wants to elevate that to root now. How is su or sudo going to help here? Writing a key logging wrapper in expect is a matter of 10 lines. The reason, that popups are used for tricking users into revealing their password, is that there are so many uses of these popups. Had everyone been using the terminal approach, the story would have been the other way round. If your account is compromised and you regularly use it to switch to root (no matter how), then the best guess is that your system is compromised as well. In order to really escape from this issue, you need something unforgeable. A certain OS from Redmond actually shows, how this can be done. In some versions it would require the user to press Ctrl-Alt-Delete before logging in, so forging the login screen was next to impossible. So to really separate the user from the administrator, administrative actions would need to be queued somewhere, then the user needs to switch to an administrative account (doing something like the key combo dance) and then process pending actions from that account. Now is this really worth it? Helmut -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130610061349.GA13389@localhost.localdomain
Re: security policy / root passwords
On Sun, Jun 09, 2013 at 07:20:16PM +0200, Michael Banck wrote: Is there any policy within Debian about such matters, particularly for packages that are a default part of the distribution? Is it too late to remove this popup from wheezy? I think the best approach would be sudo and requesting the user for their own password - and probably be more informative about why the password is needed or what is being installed. By the way, this seems to be the case for my wheezy installation, however, I am running vanilla Gnome3, not Classic (and have been running wheezy all along sind late 2012). So maybe either you are missing some sudo-related package, or the classic mode is behaving differently, possibly due to less testing (if the sudo route is indeed the intended one). Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130610072118.gc26...@nighthawk.chemicalconnection.dyndns.org
Re: security policy / root passwords
Michael Banck mba...@debian.org writes: I think the best approach would be sudo and requesting the user for their own password - and probably be more informative about why the password is needed or what is being installed. By the way, this seems to be the case for my wheezy installation, however, I am running vanilla Gnome3, not Classic (and have been running wheezy all along sind late 2012). Perhaps your user is in the sudo group? If yes then at least in squeeze policykit will consider you to be admin: $ cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf [Configuration] AdminIdentities=unix-group:sudo -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/848v2izak6@sauna.l.org
Re: security policy / root passwords
A few points: 1) if your user is part of sudo group, most of the time gnome will ask for your user's password instead of root's. 2) Debian is a finite set of software. It provides packages (literally thousands of them) that are stable, safe and malicious pop-ups free. It also provides packages enabling user to run software that cannot be found in Debian's pool (and is potentially unsafe) in a safe, virtualized environment (qemu and stuff). 3) xfce needs less root 4) asking a user to open up a console and type their root's password there will add unnecessary complexity while enforcing a security mechanism like selinux will be a pain. Please leave it be. On Mon, Jun 10, 2013 at 9:31 AM, Timo Juhani Lindfors timo.lindf...@iki.fiwrote: Michael Banck mba...@debian.org writes: I think the best approach would be sudo and requesting the user for their own password - and probably be more informative about why the password is needed or what is being installed. By the way, this seems to be the case for my wheezy installation, however, I am running vanilla Gnome3, not Classic (and have been running wheezy all along sind late 2012). Perhaps your user is in the sudo group? If yes then at least in squeeze policykit will consider you to be admin: $ cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf [Configuration] AdminIdentities=unix-group:sudo -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/848v2izak6@sauna.l.org
Re: security policy / root passwords
Hi, Le dimanche 09 juin 2013 à 18:45 +0200, Daniel Pocock a écrit : There have been multiple complaints about the new Gnome popup asking for the root password I opened a bug for discussion about the issue, but it was closed by another DD (not the maintainer) - [1]. Other users have come across the bug too and requested attention for it with the same concerns that I have. Essentially, my feeling is that users should be encouraged to NEVER put their root password into some popup that appears spontaneously on their computer. Having this popup in Debian, by default, desensitizes users to the type of popups that will aim to deceive them. I think there is some big confusion here. It is not new for GNOME to ask for the root password for actions that require root permissions. This is done through PolicyKit, which avoids to run privileged code in the GUI, but which will nevertheless require to type the root password in an unprivileged process (there is not much way around that). What is new is that PackageKit asks for a system update *systematically* when it finds the system is not up-to-date. I don’t know why, but it seems to have started with the wheezy release, it did not happen during the freeze. I consider it a bug, and one that we should aim to fix in the first wheezy point release. Cheers, -- .''`. Josselin Mouette : :' : `. `' `- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1370855422.3721.249.camel@pi0307572
Re: security policy / root passwords
On 10/06/13 10:21, Alexey Serikov wrote: A few points: 1) if your user is part of sudo group, most of the time gnome will ask for your user's password instead of root's. 2) Debian is a finite set of software. It provides packages (literally thousands of them) that are stable, safe and malicious pop-ups free. It also provides packages enabling user to run software that cannot be found in Debian's pool (and is potentially unsafe) in a safe, virtualized environment (qemu and stuff). The potential phishing attack would be likely to take one of two forms: a) a web site displaying a PolicyKit popup that resembles the wording of the Debian popup b) an X window compromise that allows an attacker to display a popup (although such compromises often give the attacker the ability to monitor keystrokes and obtain passwords in other ways) There is no suggestion that any existing package contains a malicious popup. 3) xfce needs less root 4) asking a user to open up a console and type their root's password there will add unnecessary complexity while enforcing a security mechanism like selinux will be a pain. Please leave it be. pain means the user thinks about what they are doing and follows a pre-defined procedure that is known to be relatively secure The real issue here is not about the technical quality of the popup or whether the package works or not, it is about the potential for this type of workflow to condition users into a mindset of trusting popups that makes a percentage of users more likely to be caught by a phishing attack. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b5b9b9.4080...@pocock.com.au
Re: security policy / root passwords
On 10/06/13 12:34, Daniel Pocock wrote: a) a web site displaying a PolicyKit popup that resembles the wording of the Debian popup GNOME Shell does mitigate this by using a distinctive UI for system-modal dialogs, which makes use of the fact that the Shell is the window compositor in order to dim the rest of the screen: http://people.gnome.org/~halfline/power-off-dialog.png That's the power off dialog, but PolicyKit prompts are similar. Notice that everything outside the dialog is desaturated and darker than usual. I would hope that web browsers don't have that level of control over the system's appearance (going to full-screen is the closest they could get, and they'd still have to reproduce a darkened form of the entire screen contents somehow). b) an X window compromise that allows an attacker to display a popup (although such compromises often give the attacker the ability to monitor keystrokes and obtain passwords in other ways) I don't know whether a client with X access would be able to emulate a system-modal dialog more closely; it might be able to do tricks with screenshots? As you say, input logging is probably more of a concern here. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b5c2ca.70...@debian.org
Re: security policy / root passwords
On 10/06/13 14:12, Simon McVittie wrote: On 10/06/13 12:34, Daniel Pocock wrote: a) a web site displaying a PolicyKit popup that resembles the wording of the Debian popup GNOME Shell does mitigate this by using a distinctive UI for system-modal dialogs, which makes use of the fact that the Shell is the window compositor in order to dim the rest of the screen: http://people.gnome.org/~halfline/power-off-dialog.png That's the power off dialog, but PolicyKit prompts are similar. Notice that everything outside the dialog is desaturated and darker than usual. I would hope that web browsers don't have that level of control over the system's appearance (going to full-screen is the closest they could get, and they'd still have to reproduce a darkened form of the entire screen contents somehow). That screenshot appears to be Gnome 3. I log in with Gnome Classic so maybe I'm experiencing something different. The dialog I see does not have the appearance of the screenshot in that link - you can see a screenshot attached to the bug here: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=25;filename=708548.png;att=1;bug=708548 and it is not modal either. Those may be other bugs in the way this works. I agree that having a modal dialog with a dimmed background would help, maybe this is meant to happen but the code is not working correctly in Gnome classic mode? It was also demonstrated with Windows 7 that users could be tricked by web sites that simply dimmed the background of the browser window - so it is not a perfect solution and I would personally prefer to see users referred to initiate su or sudo on their own. Another way to do this might be telling them about updates at login time or when the screen is locked. Those are places where the user normally enters a password anyway. Immediately after they enter the password, the user could be informed about pending updates, within the same login UI, rather than having popups appearing out of nowhere. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b5cc89.3060...@pocock.com.au
Re: security policy / root passwords
Daniel Pocock wrote: It was also demonstrated with Windows 7 that users could be tricked by web sites that simply dimmed the background of the browser window - so it is not a perfect solution and I would personally prefer to see users referred to initiate su or sudo on their own. Initiate su or sudo as in from a terminal? Conditioning users to write commands in a terminal when prompted by a dialog sounds even worse than leaking passwords. At least leaking system passwords is less catastrophic when the system allows no remote login. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1370869938.18948.18.camel@glyph.nonexistent.invalid
Re: security policy / root passwords
On 10/06/13 13:54, Daniel Pocock wrote: That screenshot appears to be Gnome 3. I log in with Gnome Classic so maybe I'm experiencing something different. I did say GNOME Shell. The fallback GNOME 3.4 session (which might well be called Classic in the UI in wheezy) doesn't use Shell, so it doesn't have access to the same way to mitigate this, and I would expect it to use the standalone PolicyKit UI, which is just a normal user-level application and looks like your screenshot. GNOME = 3.8 has a new Classic mode which uses Shell, but adjusts it to look and behave more like GNOME 2. I don't know how its PolicyKit dialogs behave - they're probably GNOME Shell modal dialogs in a more GNOME-2-like (i.e. grey) colour scheme. I agree that having a modal dialog with a dimmed background would help, maybe this is meant to happen but the code is not working correctly in Gnome classic mode? Fallback mode is/was a fallback for unsupported graphics hardware; it doesn't have the UI that upstream intended, only an approximation. The Shell-based session is how it's meant to work. It was also demonstrated with Windows 7 that users could be tricked by web sites that simply dimmed the background of the browser window - so it is not a perfect solution and I would personally prefer to see users referred to initiate su or sudo on their own. Sure, it's a mitigation, not a solution. I don't think telling non-technical users they need to run cryptic commands is desirable (they'll just not update at all!) and there are technical limitations in su/sudo/gksu that are solved by PolicyKit[1], but I agree that anything that asks for the user or root password should be a response to user action. In squeeze, the GNOME update notifier consisted of an icon in the notification area which appeared when there were updates; when users clicked on it, they were prompted for their password and could then install the updates. That seems fine to me. Another way to do this might be telling them about updates at login time or when the screen is locked. Those are places where the user normally enters a password anyway. Immediately after they enter the password, the user could be informed about pending updates, within the same login UI, rather than having popups appearing out of nowhere. That's an interesting idea; please suggest it upstream. S [1] among others: * sanitizing the environment (done by sudo and PK but not by su) * configurable level of authentication required (done at an abstract level by PK, done at a command-line level by sudo, not done at all by su) * splitting privileged actions into an unprivileged GUI and a privileged daemon, rather than running the GUI with privileges (supported and encouraged by PK, not well-supported by sudo or su) * ability to use system-modal prompting or a secure input path (partially done by PK under GNOME Shell, likely to get better under Wayland, not supported by sudo or su) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b5d6cb.5080...@debian.org
Re: security policy / root passwords
Simon McVittie writes (Re: security policy / root passwords): * splitting privileged actions into an unprivileged GUI and a privileged daemon, rather than running the GUI with privileges (supported and encouraged by PK, not well-supported by sudo or su) This gives me another opportunity to plug userv. userv is a tool for helping split a local program or service into differently-privileged parts. Specifically it's a way of letting one user execute programs to be run as another user, with appropriate security properties. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20917.57113.942820.667...@chiark.greenend.org.uk
Re: security policy / root passwords
Simon McVittie s...@debian.org writes: * ability to use system-modal prompting or a secure input path (partially done by PK under GNOME Shell, likely to get better under Wayland, not supported by sudo or su) Not relevant to the current discussion but this got me curious: can the input path really be secure under X11? -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8461xmt4ly@sauna.l.org
Re: security policy / root passwords
On 10/06/13 15:36, Timo Juhani Lindfors wrote: Simon McVittie s...@debian.org writes: * ability to use system-modal prompting or a secure input path (partially done by PK under GNOME Shell, likely to get better under Wayland, not supported by sudo or su) Not relevant to the current discussion but this got me curious: can the input path really be secure under X11? It can at least be a bit more robust against accidentally typing your password into the wrong window (although perhaps not secure against deliberate abuse by a malicious application) by taking an input grab, like the various pinentry-* and ssh-askpass implementations do. I'm not sure how far GNOME Shell goes with securing input to system-modal dialogs, but again, the fact that it's modal makes it a bit more robust against mistakes. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b5e7f3.2000...@debian.org
Re: security policy / root passwords
On 10/06/13 16:51, Simon McVittie wrote: On 10/06/13 15:36, Timo Juhani Lindfors wrote: Simon McVittie s...@debian.org writes: * ability to use system-modal prompting or a secure input path (partially done by PK under GNOME Shell, likely to get better under Wayland, not supported by sudo or su) Not relevant to the current discussion but this got me curious: can the input path really be secure under X11? It can at least be a bit more robust against accidentally typing your password into the wrong window (although perhaps not secure against deliberate abuse by a malicious application) by taking an input grab, like the various pinentry-* and ssh-askpass implementations do. I'm not sure how far GNOME Shell goes with securing input to system-modal dialogs, but again, the fact that it's modal makes it a bit more robust against mistakes. Every copy of jessie could be distributed with one of the red hoods referred to in this article: http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance I presume it has some kind of electromagnetic shielding too. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b627f7.4040...@pocock.com.au
Re: security policy / root passwords
Hello, just like to add that today this feature with the popup blocked my gnome within the suspend procedure, which I did not see but got a hot running laptop in the bag. When I opened the laptop again I saw the problem and when clicking on cancel, the laptop finally when to suspend. I think, just naming something a feature belongs more to microsoft behavior and shouldn't be copied in the linux world. A few things maybe useful but not for all people. Giving people the choice is the main point here. Whether you create a package that configures all with the funny new features and leave it to the user, if he wants this configuration or just uninstalls it to have a more conservative behavior for server setups. I think it is a big mistake to design desktops with similar behaviors like one knows from the windows world. Most popup do not make any sense and interrupt people by working. Upcoming programs stealing the mouse, refocus, or resize are just annoying when writing a document. The new gnome 3 desktop is nice, except it goes snow when too many windows are open (for a CTWM no problem) or it blocks the desktop switching because flashplayer freezes and gnome3 cannot access the graphics of the window. Nice features but cause serious problem, similar like this uninforming root password question and blocking the screen for wlan passwords. There is no need to block the screen as it can accidently pop up while writing a document and one would like to finish the sentence before typing a password. Such things come with force, rather than with the option of action which is a more elegant design. And another final problem are program menus which grap the mouse and when the program freezes, there is no way to release the mouse again execpt going out of X and into the consoles to kill the process. Recently skype's technical information window did not vanish. From gome menu I chose close window what it then did, but it took all with it and did freeze the desktop, even CTRL+ALT+F1 did not work to go out. Was a reboot and not nice I suggest to create window managers more independent from programs in order to increase stabilization. Also even when configured strict mouse behavior, the new upcoming program first graps the mouse and when moving it over the next window, it does not follow, here one has to click, after all is fine. I really suggest, give people more choice to configure things like they like or they are used to. X window system and window manager together have really nice features, just try not to make it like microsoft windows. cheers Jens -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/831ea06c08e40b459a98bff9939167e85a3b0...@cernxchg32.cern.ch
Re: security policy / root passwords
On Mon, Jun 10, 2013 at 08:04:27AM +0800, Chow Loong Jin wrote: On Sun, Jun 09, 2013 at 01:06:40PM -0700, Robert Holtzman wrote: [...] In my gross stupidity this seems like a nonissue. How does a popup asking for your root p/w differ from using the CLI, typing su and being asked for the root p/w? I'm assuming that the popup was in connection with a command (GUI) that legitimately would require root privileges. A popup from a CLI command would wave a red flag. Typing in your root p/w in a prompt on the CLI is manually initiated -- you run a command that you know will prompt you for a password, and it prompts you. That's what I said. Having a random popup in your face asking you for your password, with the reason for its appearance not always immediately clear, could be bad because you would then be desensitizing yourself to password prompts, and on one fine morning before the caffeine, you might just accidentally type your password into a malicious prompt that you didn't verify beforehand. Exactly right. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 signature.asc Description: Digital signature
Re: security policy / root passwords
Hi Daniel, On Mon, Jun 10, 2013 at 09:24:39PM +0200, Daniel Pocock wrote: Every copy of jessie could be distributed with one of the red hoods referred to in this article: http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance I presume it has some kind of electromagnetic shielding too. Please keep it on topic. Thanks, Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130610231158.gb26...@nighthawk.chemicalconnection.dyndns.org
Re: security policy / root passwords
Am 10.06.2013 11:10, schrieb Josselin Mouette: I consider it a bug, and one that we should aim to fix in the first wheezy point release. nod. that said, the first point release is basically done, so this will have to wait for 7.2 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: security policy / root passwords
On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote: There have been multiple complaints about the new Gnome popup asking for the root password I am not sure what you are complaining about - that you need to specify the root password to install packages, or that gnome requests additional packages to support your phone? I opened a bug for discussion about the issue, You opened a release critical bug, that's a weird way of starting a discussion. Essentially, my feeling is that users should be encouraged to NEVER put their root password into some popup that appears spontaneously on their computer. Having this popup in Debian, by default, desensitizes users to the type of popups that will aim to deceive them. If you look at the Wikipedia page about phishing[2], teaching users not to trust random requests for information is the top strategy. This popup undermines attempts to train users to think that way. A phishing attack doesn't even need to replicate the popup perfectly: the attacker is simply aiming to fool some random percentage of users. He doesn't need to trick every user every time. What does the most damage is simply the fact that users come to accept that such popups are normal and potentially trustworthy. Is there any policy within Debian about such matters, particularly for packages that are a default part of the distribution? Is it too late to remove this popup from wheezy? I think the best approach would be sudo and requesting the user for their own password - and probably be more informative about why the password is needed or what is being installed. The latter is quite certainly too late to be changed in wheezy, the former possibly as well. However, now is the time to make sure this is going to be fixed for jessie. Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130609172016.gb26...@nighthawk.chemicalconnection.dyndns.org
Re: security policy / root passwords
On 09/06/13 19:20, Michael Banck wrote: On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote: There have been multiple complaints about the new Gnome popup asking for the root password I am not sure what you are complaining about - that you need to specify the root password to install packages, or that gnome requests additional packages to support your phone? The popup doesn't just appear when my phone is attached - sometimes it appears spontaneously I opened a bug for discussion about the issue, You opened a release critical bug, that's a weird way of starting a discussion. The popup didn't exist in previous versions of Debian and the average user has no idea which popups are the real ones. Some people find this issue more severe than others. Essentially, my feeling is that users should be encouraged to NEVER put their root password into some popup that appears spontaneously on their computer. Having this popup in Debian, by default, desensitizes users to the type of popups that will aim to deceive them. If you look at the Wikipedia page about phishing[2], teaching users not to trust random requests for information is the top strategy. This popup undermines attempts to train users to think that way. A phishing attack doesn't even need to replicate the popup perfectly: the attacker is simply aiming to fool some random percentage of users. He doesn't need to trick every user every time. What does the most damage is simply the fact that users come to accept that such popups are normal and potentially trustworthy. Is there any policy within Debian about such matters, particularly for packages that are a default part of the distribution? Is it too late to remove this popup from wheezy? I think the best approach would be sudo and requesting the user for their own password - and probably be more informative about why the password is needed or what is being installed. My feeling is that the user should be told go and run sudo or su in a terminal window you opened manually Otherwise, they can't be sure they are putting their password in a genuine Debian popup. The latter is quite certainly too late to be changed in wheezy, the former possibly as well. However, now is the time to make sure this is going to be fixed for jessie. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b4be4e.9060...@trendhosting.net
Re: security policy / root passwords
Daniel Pocock dan...@trendhosting.net writes: My feeling is that the user should be told go and run sudo or su in a terminal window you opened manually I don't think terminal emulation is really a good solution here but your idea does have some merits. Maybe you can make your own policykit agent that asks for the password only if you first navigate to some menu where you can approve pending policykit authentication requests? If it existed it could be proposed as an alternative and maybe in time as the default? -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/84hah7yvl1@sauna.l.org
Re: security policy / root passwords
On Sun, Jun 09, 2013 at 07:20:16PM +0200, Michael Banck wrote: On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote: There have been multiple complaints about the new Gnome popup asking for the root password I am not sure what you are complaining about - that you need to specify the root password to install packages, or that gnome requests additional packages to support your phone? I opened a bug for discussion about the issue, You opened a release critical bug, that's a weird way of starting a discussion. Essentially, my feeling is that users should be encouraged to NEVER put their root password into some popup that appears spontaneously on their computer. Having this popup in Debian, by default, desensitizes users to the type of popups that will aim to deceive them. If you look at the Wikipedia page about phishing[2], teaching users not to trust random requests for information is the top strategy. This popup undermines attempts to train users to think that way. A phishing attack doesn't even need to replicate the popup perfectly: the attacker is simply aiming to fool some random percentage of users. He doesn't need to trick every user every time. What does the most damage is simply the fact that users come to accept that such popups are normal and potentially trustworthy. Is there any policy within Debian about such matters, particularly for packages that are a default part of the distribution? Is it too late to remove this popup from wheezy? I think the best approach would be sudo and requesting the user for their own password - and probably be more informative about why the password is needed or what is being installed. The latter is quite certainly too late to be changed in wheezy, the former possibly as well. However, now is the time to make sure this is going to be fixed for jessie. In my gross stupidity this seems like a nonissue. How does a popup asking for your root p/w differ from using the CLI, typing su and being asked for the root p/w? I'm assuming that the popup was in connection with a command (GUI) that legitimately would require root privileges. A popup from a CLI command would wave a red flag. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279 signature.asc Description: Digital signature
Re: security policy / root passwords
On Sun, Jun 09, 2013 at 01:06:40PM -0700, Robert Holtzman wrote: [...] In my gross stupidity this seems like a nonissue. How does a popup asking for your root p/w differ from using the CLI, typing su and being asked for the root p/w? I'm assuming that the popup was in connection with a command (GUI) that legitimately would require root privileges. A popup from a CLI command would wave a red flag. Typing in your root p/w in a prompt on the CLI is manually initiated -- you run a command that you know will prompt you for a password, and it prompts you. Having a random popup in your face asking you for your password, with the reason for its appearance not always immediately clear, could be bad because you would then be desensitizing yourself to password prompts, and on one fine morning before the caffeine, you might just accidentally type your password into a malicious prompt that you didn't verify beforehand. -- Kind regards, Loong Jin signature.asc Description: Digital signature