LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

actually, was pointed out at least as early as 2004 on LWN.net

actually, was pointed out at least as early as 2004 on LWN.net

Posted Feb 11, 2009 18:04 UTC (Wed) by stevenj (guest, #421)
Parent article: How to write a Linux virus in 5 easy steps

Albeit in the comments, not in the article text, of yet another article about email viruses: "Not to mention that certain things like desktop shortcuts on GNOME are just files and don't need an execute bit at all to be usable in dangerous ways." And there are other time-tested (on Windows) ways of getting users to set executable bits, e.g. by getting them to uncompress a .tar.gz file (a lot of Windows email viruses hid themselves in .zip attachments).

From my perspective, any user interface that employs the same action to open a file as to launch an executable/script has a fundamental vulnerability to social-engineering attacks.

(Log in to post comments)

Way too long phrase...

Posted Feb 11, 2009 18:35 UTC (Wed) by khim (subscriber, #9252) [Link]

From my perspective, any user interface that employs the same action to open a file as to launch an executable/script has a fundamental vulnerability to social-engineering attacks.
Should be read: any user interface has a fundamental vulnerability to social-engineering attacks. It does not mean .desktop files should be runnable without X attribute, of course - it just means it's not a panacea...

Way too long phrase...

Posted Feb 11, 2009 19:41 UTC (Wed) by NAR (subscriber, #1313) [Link]

Yes, the file opening application can also have a bug that is triggered by the malicious attachment...

Way too long phrase...

Posted Feb 12, 2009 0:37 UTC (Thu) by stevenj (guest, #421) [Link]

Is your point that UI design plays no role in security, or that nothing can be done to improve the situation? If so, I have to respectfully disagree. If not, I'm not sure what your point is.

Clearly, some UIs are more vulnerable than others. (To pick an extreme example, a mail UI that allows merely reading an email to execute untrusted code is problematic.)

My point?

Posted Feb 12, 2009 16:01 UTC (Thu) by khim (subscriber, #9252) [Link]

My point was that user's education helps 100 times more then any UI decisions.

My point?

Posted Feb 12, 2009 19:13 UTC (Thu) by stevenj (guest, #421) [Link]

Even if this were true (do you have data to back it up?), it wouldn't imply that resistance to deception should not play a significant role in UI design. Clearly, no approach is a panacea, which means that one wants to explore all practical avenues; certainly user education hasn't prevented widespread malware on certain platforms (which has side effects affecting all of us).

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds