LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

LWN.net Weekly Edition for June 6, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Nice writeup

Nice writeup

Posted Feb 27, 2009 5:09 UTC (Fri) by jimparis (subscriber, #38647)
In reply to: Nice writeup by pynm0001
Parent article: Desktop malware risk gets raised and patched

I think you misunderstood his point, which I read as: What if the "Exec=" command in the .desktop file is misleading? Such that the user reads your dialog box, decides the command looks benign, and then clicks Continue --> but really it was just a cleverly hidden attack.

I don't think you can expect to work around this any more than you can teach users to not trust "https://www.paypal.com.nigerian-scammers-love-you.com". However, it's an argument FOR keeping some text like "If you don't know where this came from or what's going on, click Cancel" in the dialog box.

As an example, your recent dialog (krun8.png) might end up reading:

"This will start the program:
xterm -e 'dd if=/dev/null of=/dev/sda'
If you do not trust this program, press cancel"

and users could think "Oh, well, I don't fully understand what that means, but I do trust xterm, so I'll click OK"

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds