[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

security policy / root passwords


There have been multiple complaints about the new Gnome popup asking for
the root password

I opened a bug for discussion about the issue, but it was closed by
another DD (not the maintainer) - [1].  Other users have come across the
bug too and requested attention for it with the same concerns that I have.

Essentially, my feeling is that users should be encouraged to NEVER put
their root password into some popup that appears spontaneously on their
computer.  Having this popup in Debian, by default, desensitizes users
to the type of popups that will aim to deceive them.

If you look at the Wikipedia page about phishing[2], teaching users not
to trust random requests for information is the top strategy.  This
popup undermines attempts to train users to think that way.

A phishing attack doesn't even need to replicate the popup perfectly:
the attacker is simply aiming to fool some random percentage of users.
He doesn't need to trick every user every time.

What does the most damage is simply the fact that users come to accept
that such popups are normal and potentially trustworthy.

Is there any policy within Debian about such matters, particularly for
packages that are a default part of the distribution?  Is it too late to
remove this popup from wheezy?



1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708548

2. http://en.wikipedia.org/wiki/Phishing#Social_responses

Reply to: