On Sun, Jun 09, 2013 at 07:20:16PM +0200, Michael Banck wrote: > On Sun, Jun 09, 2013 at 06:45:18PM +0200, Daniel Pocock wrote: > > There have been multiple complaints about the new Gnome popup asking > > for the root password > > I am not sure what you are complaining about - that you need to specify > the root password to install packages, or that gnome requests additional > packages to support your phone? > > > I opened a bug for discussion about the issue, > > You opened a release critical bug, that's a weird way of starting a > "discussion". > > > Essentially, my feeling is that users should be encouraged to NEVER put > > their root password into some popup that appears spontaneously on their > > computer. Having this popup in Debian, by default, desensitizes users > > to the type of popups that will aim to deceive them. > > > > If you look at the Wikipedia page about phishing[2], teaching users not > > to trust random requests for information is the top strategy. This > > popup undermines attempts to train users to think that way. > > > > A phishing attack doesn't even need to replicate the popup perfectly: > > the attacker is simply aiming to fool some random percentage of users. > > He doesn't need to trick every user every time. > > > > What does the most damage is simply the fact that users come to accept > > that such popups are normal and potentially trustworthy. > > > > Is there any policy within Debian about such matters, particularly for > > packages that are a default part of the distribution? Is it too late to > > remove this popup from wheezy? > > I think the best approach would be sudo and requesting the user for > their own password - and probably be more informative about why the > password is needed or what is being installed. > > The latter is quite certainly too late to be changed in wheezy, the > former possibly as well. However, now is the time to make sure this is > going to be fixed for jessie. In my gross stupidity this seems like a nonissue. How does a popup asking for your root p/w differ from using the CLI, typing "su" and being asked for the root p/w? I'm assuming that the popup was in connection with a command (GUI) that legitimately would require root privileges. A popup from a CLI command would wave a red flag. -- Bob Holtzman If you think you're getting free lunch, check the price of the beer. Key ID: 8D549279
Attachment:
signature.asc
Description: Digital signature