| |||||||||||||
|
| |||||||||||||
Way too long phrase...Way too long phrase...Posted Feb 11, 2009 18:35 UTC (Wed) by khim (subscriber, #9252)In reply to: actually, was pointed out at least as early as 2004 on LWN.net by stevenj Parent article: How to write a Linux virus in 5 easy steps
From my perspective, any user interface that employs the same action to open a file as to launch an executable/script has a fundamental vulnerability to social-engineering attacks.Should be read: any user interface has a fundamental vulnerability to social-engineering attacks. It does not mean .desktop files should be runnable without X attribute, of course - it just means it's not a panacea...
(Log in to post comments)
Way too long phrase... Posted Feb 11, 2009 19:41 UTC (Wed) by NAR (subscriber, #1313) [Link] Yes, the file opening application can also have a bug that is triggered by the malicious attachment...
Way too long phrase... Posted Feb 12, 2009 0:37 UTC (Thu) by stevenj (guest, #421) [Link] Is your point that UI design plays no role in security, or that nothing can be done to improve the situation? If so, I have to respectfully disagree. If not, I'm not sure what your point is.Clearly, some UIs are more vulnerable than others. (To pick an extreme example, a mail UI that allows merely reading an email to execute untrusted code is problematic.)
My point? Posted Feb 12, 2009 16:01 UTC (Thu) by khim (subscriber, #9252) [Link] My point was that user's education helps 100 times more then any UI decisions.
My point? Posted Feb 12, 2009 19:13 UTC (Thu) by stevenj (guest, #421) [Link] Even if this were true (do you have data to back it up?), it wouldn't imply that resistance to deception should not play a significant role in UI design. Clearly, no approach is a panacea, which means that one wants to explore all practical avenues; certainly user education hasn't prevented widespread malware on certain platforms (which has side effects affecting all of us).
|
|
||||||||||||