Re: security policy / root passwords

To: debian-devel@lists.debian.org
Cc: 708548@bugs.debian.org
Subject: Re: security policy / root passwords
From: Daniel Pocock <daniel@trendhosting.net>
Date: Sun, 09 Jun 2013 19:41:34 +0200
Message-id: <[🔎] 51B4BE4E.9060808@trendhosting.net>
In-reply-to: <[🔎] 20130609172016.GB26067@nighthawk.chemicalconnection.dyndns.org>
References: <[🔎] 51B4B11E.8080701@pocock.com.au> <[🔎] 20130609172016.GB26067@nighthawk.chemicalconnection.dyndns.org>

On 09/06/13 19:20, Michael Banck wrote:
> On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote:
>> There have been multiple complaints about the new Gnome popup asking
>> for the root password
> 
> I am not sure what you are complaining about - that you need to specify
> the root password to install packages, or that gnome requests additional
> packages to support your phone?

The popup doesn't just appear when my phone is attached - sometimes it
appears spontaneously

>> I opened a bug for discussion about the issue,
> 
> You opened a release critical bug, that's a weird way of starting a
> "discussion".

The popup didn't exist in previous versions of Debian and the average
user has no idea which popups are the real ones.  Some people find this
issue more severe than others.

>> Essentially, my feeling is that users should be encouraged to NEVER put
>> their root password into some popup that appears spontaneously on their
>> computer.  Having this popup in Debian, by default, desensitizes users
>> to the type of popups that will aim to deceive them.
>>
>> If you look at the Wikipedia page about phishing[2], teaching users not
>> to trust random requests for information is the top strategy.  This
>> popup undermines attempts to train users to think that way.
>>
>> A phishing attack doesn't even need to replicate the popup perfectly:
>> the attacker is simply aiming to fool some random percentage of users.
>> He doesn't need to trick every user every time.
>>
>> What does the most damage is simply the fact that users come to accept
>> that such popups are normal and potentially trustworthy.
>>
>> Is there any policy within Debian about such matters, particularly for
>> packages that are a default part of the distribution?  Is it too late to
>> remove this popup from wheezy?
> 
> I think the best approach would be sudo and requesting the user for
> their own password - and probably be more informative about why the
> password is needed or what is being installed.

My feeling is that the user should be told "go and run sudo or su in a
terminal window you opened manually"

Otherwise, they can't be sure they are putting their password in a
genuine Debian popup.

> The latter is quite certainly too late to be changed in wheezy, the
> former possibly as well.  However, now is the time to make sure this is
> going to be fixed for jessie.

Reply to:

Follow-Ups:
- Re: security policy / root passwords
  - From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
- Re: security policy / root passwords
  - From: Helmut Grohne <helmut@subdivi.de>

References:
- security policy / root passwords
  - From: Daniel Pocock <daniel@pocock.com.au>
- Re: security policy / root passwords
  - From: Michael Banck <mbanck@debian.org>

Prev by Date: Re: DH way to set SONAME
Next by Date: Re: security policy / root passwords
Previous by thread: Re: security policy / root passwords
Next by thread: Re: security policy / root passwords
Index(es):
- Date
- Thread