Shall we support the autorun feature?

[Nathan R. Valentine]

> As for the security issue, please... what sort of issues could you get
> from this? Someone mails you a CD in the post (like AOL) and you
> insert it and get all of your files deleted? Don't think so. Or some
> person in your office handing you a specially made CD to steal your
> files? Again, it's highly unlikely. Look at Windows, this has been


Yes, those are legitimate examples of possible vectors. Now, extend the
idea to network shares via VFS. See below.


> implemented since at least '95 and I don't think there has been a
> security issue ever arising from it. Maybe we should focus on the very
> real issue of getting an easy to use update manager to patch systems,


You used to be able to insert media with auto-run capabilities into a
box running certain versions of Windows and bypass the screensaver
password among other things.

Also, it used to be possible to put auto-run files onto a malicious
network share. When a Windows user browsed that share the attacker was
basically limited only to his/her imagination. The "difficult" part was
getting that user to browse to the appropriate share. You only had to be
clever. I worked at a software development shop where the engineers
routinely came up with new and interesting ways to trick other engineers
into falling for this. It was considered a sport.

Both problems have since been fixed, at least the last time I looked,
but are examples of security problems that would not have been present
without auto-run. 

-- 
Nathan R. Valentine <nathan at nathanvalentine.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050104/3d82f67d/attachment.sig>