Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
On 16/06/2009 mac_v wrote: In no way the system should decide what windows it can open... If this is allowed it is only a matter of time before someone develops a worm which uses this behavior and pops-up a window similar to the update manager which also asks for the user password allowing the worm to take control of the system using this password info. *Is ubuntu only going to realize this security risk after someone* *develops a proof of concept worm or a real virus* ? If this is done linux will no longer be THE secure OS. All windows in the window list should only be triggered by the user, all other system process should only trigger a notification. Do you think it is easy to design a webpage that simulates such a "password fraud"? I see a difficulty here due to having to dim the whole screen to look like the standard password request, not that an user would not enter it in any kind of pop-up. On the other hand, I have an idea for a secure way to ask for user input. In the installer, the user choses her own password, and the "secret phrase" which will be written in a root-only accessible file. This sentece will be shown to the user by the system when a password is asked and will autenticate the system with the user. The user should then be instructed not to enter his own password unless the right phrase is seen. A random phrase may be suggested automatically from a huge list. Vincenzo ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
Vincenzo Ciancia wrote:
>
> Do you think it is easy to design a webpage that simulates such a
> "password fraud"? I see a difficulty here due to having to dim the whole
> screen to look like the standard password request, not that an user
> would not enter it in any kind of pop-up.
>
Actually the dimming part might not be tough! {not to get into too much
details,lest someone gets ideas} the dim can be done tirggering compiz
effects :P
But i'm not saying it is easy , but *can be done*.
> On the other hand, I have an idea for a secure way to ask for user
> input. In the installer, the user choses her own password, and the
> "secret phrase" which will be written in a root-only accessible file.
> This sentece will be shown to the user by the system when a password is
> asked and will autenticate the system with the user. The user should
> then be instructed not to enter his own password unless the right phrase
> is seen. A random phrase may be suggested automatically from a huge list.
>
> Vincenzo
>
+1.
WOW! i like this idea.
Cheers,
mac_v
___
Mailing list: https://launchpad.net/~ayatana
Post to : ayatana@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ayatana
More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
mac_v, You raised very interesting point that the possibility of applications asking the user for root access without proving themselves as real system applications is a security risk. However I do not think the orage icon can solve this problem. It is true that a malicious application can fake the update-manager window. But a malicious application can also fake the orange icon or whatever notification approach we choose, as you are assuming that the "virus" is already running application under user privileges. I believe that Vincenzo gave an interesting solution below. It is worth some thought from the developers. But it is a different issue. Paulo Em Ter, 2009-06-16 às 12:00 +0200, Vincenzo Ciancia escreveu: > On 16/06/2009 mac_v wrote: > > In no way the system should decide what windows it can open... > > If this is allowed it is only a matter of time before someone > > develops a > > worm which uses this behavior and pops-up a window similar to the > > update > > manager which also asks for the user password allowing the worm to > > take > > control of the system using this password info. > > *Is ubuntu only going to realize this security risk after someone* > > *develops a proof of concept worm or a real virus* ? > > If this is done linux will no longer be THE secure OS. > > All windows in the window list should only be triggered by the user, > > all > > other system process should only trigger a notification. > > > Do you think it is easy to design a webpage that simulates such a > "password fraud"? I see a difficulty here due to having to dim the whole > screen to look like the standard password request, not that an user > would not enter it in any kind of pop-up. > > On the other hand, I have an idea for a secure way to ask for user > input. In the installer, the user choses her own password, and the > "secret phrase" which will be written in a root-only accessible file. > This sentece will be shown to the user by the system when a password is > asked and will autenticate the system with the user. The user should > then be instructed not to enter his own password unless the right phrase > is seen. A random phrase may be suggested automatically from a huge list. > > Vincenzo > -- Paulo José da Silva e Silva Professor Associado, Dep. de Ciência da Computação (Associate Professor, Computer Science Dept.) Universidade de São Paulo - Brazil e-mail: pjssi...@ime.usp.br Web: http://www.ime.usp.br/~pjssilva Teoria é o que não entendemos o (Theory is something we don't) suficiente para chamar de prática. (understand well enough to call practice) ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
On Tue, Jun 16, 2009 at 1:00 PM, Vincenzo Ciancia wrote: > On 16/06/2009 mac_v wrote: > >> In no way the system should decide what windows it can open... >> If this is allowed it is only a matter of time before someone develops a >> worm which uses this behavior and pops-up a window similar to the update >> manager which also asks for the user password allowing the worm to take >> control of the system using this password info. >> *Is ubuntu only going to realize this security risk after someone* >> *develops a proof of concept worm or a real virus* ? >> If this is done linux will no longer be THE secure OS. >> All windows in the window list should only be triggered by the user, all >> other system process should only trigger a notification. >> > > > Do you think it is easy to design a webpage that simulates such a "password > fraud"? I see a difficulty here due to having to dim the whole screen to > look like the standard password request, not that an user would not enter it > in any kind of pop-up. > > On the other hand, I have an idea for a secure way to ask for user input. > In the installer, the user choses her own password, and the "secret phrase" > which will be written in a root-only accessible file. This sentece will be > shown to the user by the system when a password is asked and will > autenticate the system with the user. The user should then be instructed not > to enter his own password unless the right phrase is seen. A random phrase > may be suggested automatically from a huge list A few websites use a similar trick and display a custom image which the user chooses. I think it's a bit of a better solution than using a phrase, because people are more likely to notice if it changes. -Natan ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
Paulo J. S. Silva wrote: > mac_v, > > You raised very interesting point that the possibility of applications > asking the user for root access without proving themselves as real > system applications is a security risk. However I do not think the orage > icon can solve this problem. It is true that a malicious application can > fake the update-manager window. But a malicious application can also > fake the orange icon or whatever notification approach we choose, as you > are assuming that the "virus" is already running application under user > privileges. > I did not suggest bringing back the icon , you are probably have me confused with some other member. but i'm for a *better interactive notification system* , in addition to notify-osd , *which is accessed ONLY by limited system process* . This way fake notifications dont arise either. cheers, mac_v ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
On 16/06/2009 Natan Yellin wrote: A few websites use a similar trick and display a custom image which the user chooses. I think it's a bit of a better solution than using a phrase, because people are more likely to notice if it changes. Hmm, if I enter "fatti non fummo a viver come bruti" and you (the malicious program) have no idea of what it could be, sure I notice if it changes. The problem with an image is that it would make the installation process much less comfortable if you want to find your own image but I am not totally against it. You can even have both. Vincenzo ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
Thinking a little bit more about Vincenzo suggestion. It is not clear to me how the application that is asking for root access can present some information that is only readable by root. Anyhow, this is a security problem and maybe we are getting off topic here. best, Paulo ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
On 16/06/2009 Paulo J. S. Silva wrote: Thinking a little bit more about Vincenzo suggestion. It is not clear to me how the application that is asking for root access can present some information that is only readable by root. Anyhow, this is a security problem and maybe we are getting off topic here. Well, this is not meant to protect you from people in the same room, for that there is your password. It's meant to protect you from worms. The sudo program can become root to read such a file and present it. And no standard executable can do that because you need the setuid bit. But I'd prefer somebody with experience in security talk about this. It's not offtopic in my opinion as exactly this machinery could be used in the infamous popup to address the concern of many, but can be moved elsewhere or dropped if it has obvious flaws that I don't see. Vincenzo ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
Vincenzo Ciancia wrote: > It's not offtopic in my opinion as exactly this machinery could be used > in the infamous popup to address the concern of many, but can be moved > elsewhere or dropped if it has obvious flaws that I don't see. > Oh ! no! Pls not in the pop-up... pop-up idea should be re-done! It would be logical to use this in the modal window that asks for the password... When it is in the modal window ,the user will recognize the difference while entering the password. Cheers, mac_v ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
Il giorno mar, 16/06/2009 alle 19.52 +0530, mac_v ha scritto: > Vincenzo Ciancia wrote: > It would be logical to use this in the modal window that asks for the > password... > When it is in the modal window ,the user will recognize the difference > while entering the password. That'd be much easier, agreed. Vincenzo ___ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
