[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: KLIK - Userspace Software Installation

On Wed, 10 Oct 2007 20:40:11 +0200, Holger Levsen <holger@layer-acht.org> wrote: 


Hi,

On Wednesday 10 October 2007 17:04, RalfGesellensetter wrote:

Any further thoughts for this?


even more security nightmares.


 I have to agree with Holger.  Klik may be fine for a single-user
system, or maybe even a family computer, but not for a large multi-
user installation!

 Does Klik do any sandboxing?  And which part enforces the sandboxing;
the system support binaries (whatever they are) or the package itself?
Trusting EVERY user out of a LARGE number of users to apply sound judgement 
as to whether a package is safe is an invitation to disaster.  It's Windows
all over again, in a bad way.  Read on below...


 Unless Klik has heavy, mandatory sandboxing enforced by the _system_,
it will be a potent vector for malware.  It can leverage networked social
engineering:

User A to user B: "Hey, this software is cool!"
(User B tries it out, and it seduced by bells and whistles)
User B to group of friends: "Hey this software is cool!"

 Even better, a piece of malware has code to impersonate a user, and
send out messages like "Hey, this is cool!" to all of his/her buddies.
And after a few months with Klik usage, many users will consider such
messages normal, and _cool_!  So they will likely take the bait.

--
Herman Robak
Reply to: