Untrusted software and security click-through warnings

João Pinto lamego.pinto at gmail.com
Tue Oct 2 09:23:27 UTC 2007 

I taught we were talking about users which are expected to understand what
is a software repository or what is a software install package, the security
improvement would be for those users, to make sure they would understand the
risks of using such resources.
In my opinion for users which do have the trivial understanding of software
installation on the system, the only safe approach is to not grant them
admin privileges at all.

I guess the goal is not to discourage users from downloading software of the
Web in general, the goal is to drive the users to install software from
trusted sources. Both repositories and web sites can be trusted or untrusted
sources.

The option of providing an installer dialog to present the users to the
basic rules of security when dealing with system software installation was
oriented for those which (I hope) are the minority of users which still do
not understand the risks of installing software from random sources,
probably it is not a feature that would make a difference for most users.

The major source of spyware/virus/trojans has been:
  1 - exploits which allow the unattended installation of software
  2 - fake software, or "companion" software

Case 1 can only be addressed by providing security fixes in time in case
such exploits are discovered
Case 2 can only be addressed by educating people on how to use the internet
on a safely manner, again, typing random commands from an untrusted web site
is a major security risk for any OS, and it is a very common practice for
Linux users in particular

Best regards,

2007/10/2, Matthew Paul Thomas <mpt at canonical.com>:
>
> On Oct 2, 2007, at 11:51 AM, João Pinto wrote:
> > ...
> > If PPAs availability increases there will be nasty people providing
> > nasty packages, if you are concerned about naive users, then my first
> > suggestion is to present an initial screen during Ubuntu install with:
> > "If you add extra repositories or install .debs from the web, please
> > make sure you are using a trusted source, otherwise you may get
> > malicious software", if it is important enough, let's make it hard to
> > accept, it is a simple text o read (1 line), there is no excuse for
> > "next -> next".
> > ...
>
> Regardless of whether you think there is any "excuse" for "next ->
> next", most people would still do it, and wouldn't read the message.
>
> Even if they did read the message, most wouldn't have a clue what you
> meant by "repositories", ".debs", or "trusted source".
>
> And even if they did understand the message, it could be weeks, months,
> or years later that they first had the opportunity to download software
> from the Web. Quite long enough to forget that they shouldn't be doing
> it.
>
> If you want to discourage people from downloading software off the Web,
> an operating system installer is hardly the place to do it.
>
> Cheers
> --
> Matthew Paul Thomas
> http://mpt.net.nz/
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
>


-- 
João Pinto
GetDeb Package Builder
http://www.getdeb.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20071002/5817dc7f/attachment.html>

More information about the Ubuntu-devel-discuss mailing list