User: Password:
|
|
Subscribe / Log in / New account

Nice writeup

Nice writeup

Posted Feb 26, 2009 22:54 UTC (Thu) by pynm0001 (guest, #18379)
In reply to: Nice writeup by tzafrir
Parent article: Desktop malware risk gets raised and patched

Do I suppose that people piping code straight from the Internet
into a shell will fall for misleading text in a dialog box? Yes, I
suppose people insane enough to pipe arbitrary code into a running shell
*would* fall for it.


(Log in to post comments)

Nice writeup

Posted Feb 27, 2009 5:09 UTC (Fri) by jimparis (subscriber, #38647) [Link]

I think you misunderstood his point, which I read as: What if the "Exec=" command in the .desktop file is misleading? Such that the user reads your dialog box, decides the command looks benign, and then clicks Continue --> but really it was just a cleverly hidden attack.

I don't think you can expect to work around this any more than you can teach users to not trust "https://www.paypal.com.nigerian-scammers-love-you.com". However, it's an argument FOR keeping some text like "If you don't know where this came from or what's going on, click Cancel" in the dialog box.

As an example, your recent dialog (krun8.png) might end up reading:

"This will start the program:
xterm -e 'dd if=/dev/null of=/dev/sda'
If you do not trust this program, press cancel"

and users could think "Oh, well, I don't fully understand what that means, but I do trust xterm, so I'll click OK"


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds