Re: security policy / root passwords
On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote:
> There have been multiple complaints about the new Gnome popup asking
> for the root password
I am not sure what you are complaining about - that you need to specify
the root password to install packages, or that gnome requests additional
packages to support your phone?
> I opened a bug for discussion about the issue,
You opened a release critical bug, that's a weird way of starting a
"discussion".
> Essentially, my feeling is that users should be encouraged to NEVER put
> their root password into some popup that appears spontaneously on their
> computer. Having this popup in Debian, by default, desensitizes users
> to the type of popups that will aim to deceive them.
>
> If you look at the Wikipedia page about phishing[2], teaching users not
> to trust random requests for information is the top strategy. This
> popup undermines attempts to train users to think that way.
>
> A phishing attack doesn't even need to replicate the popup perfectly:
> the attacker is simply aiming to fool some random percentage of users.
> He doesn't need to trick every user every time.
>
> What does the most damage is simply the fact that users come to accept
> that such popups are normal and potentially trustworthy.
>
> Is there any policy within Debian about such matters, particularly for
> packages that are a default part of the distribution? Is it too late to
> remove this popup from wheezy?
I think the best approach would be sudo and requesting the user for
their own password - and probably be more informative about why the
password is needed or what is being installed.
The latter is quite certainly too late to be changed in wheezy, the
former possibly as well. However, now is the time to make sure this is
going to be fixed for jessie.
Michael
Reply to: