Re: KLIK - Userspace Software Installation
On Wed, 10 Oct 2007 20:40:11 +0200, Holger Levsen <holger@layer-acht.org>
wrote:
Hi,
On Wednesday 10 October 2007 17:04, RalfGesellensetter wrote:
Any further thoughts for this?
even more security nightmares.
I have to agree with Holger. Klik may be fine for a single-user
system, or maybe even a family computer, but not for a large multi-
user installation!
Does Klik do any sandboxing? And which part enforces the sandboxing;
the system support binaries (whatever they are) or the package itself?
Trusting EVERY user out of a LARGE number of users to apply sound
judgement
as to whether a package is safe is an invitation to disaster. It's Windows
all over again, in a bad way. Read on below...
Unless Klik has heavy, mandatory sandboxing enforced by the _system_,
it will be a potent vector for malware. It can leverage networked social
engineering:
User A to user B: "Hey, this software is cool!"
(User B tries it out, and it seduced by bells and whistles)
User B to group of friends: "Hey this software is cool!"
Even better, a piece of malware has code to impersonate a user, and
send out messages like "Hey, this is cool!" to all of his/her buddies.
And after a few months with Klik usage, many users will consider such
messages normal, and _cool_! So they will likely take the bait.
--
Herman Robak
Reply to: