sudo without password

Derek Broughton news at pointerstop.ca
Thu Jun 15 16:51:58 UTC 2006 

Florian Diesch wrote:

> If he will run the malware chances are good he will click "Yes" if
> asked for permission to open a network connection.
> 
> I don't think there are much users who'll not grant access if
> "ubuntu-update-mgr" ask for it. 

Why?  If the tool to open the network connection makes it clear that you
shouldn't open ports unless you're certain you have asked for it, that
should stop most people just clicking on it.  I certainly wouldn't
let "ubuntu-update-mgr" access the net unless I'd just clicked on a button
that was supposed to run it.

> AFAIK most of today's windows malware either uses some IE bugs or makes
> the user clicking on things like queen-mom-naked.jpg.exe
> 
>> Linux has no magical immunity to users that will run anything they
>> download off the net.

At least most of us can tell the difference between queen-mom-naked.jpg.exe
and queen-mom-naked.jpg (which can't do any harm on a Windows machine - but
_could_ on a Linux machine, as the system is quite capable of executing
something with a .jpg extension).  The real problem is that there are
people out there who would really _want_ to see queen-mom-naked.  Ack!!!
 
> But the way to go is to tell them not to run anything they download off
> the net. Ubuntu has about 12 GB of trustworthy software, so one goal is
> IMHO to tell them to search there first before they try Google.

Don't run anything off the net - Oh, wait a minute - you can run MY software
off the net...

>> Being secure from network attacks alone isn't enough for the threats
>> Linux will face in the future.  Consider: What do you see when you
>> install a deb or rpm?  How would you know that it isn't just installing
>> Mozilla Thunderbird, but also a trojan right along with it?  Right now,
>> sophisticated users are smart enough to only install signed packages.

It already isn't enough.  There are important packages for which I can find
no key (Wine comes to mind - the up-to-date stuff, not Dapper), plus most
people find the keys they do get on servers no more reliable than the
source of the package!

> Well, you can't do more than warning the user that he's about doing
> something dangerous. It's his computer after all.
> The problems with windows are that often there is no warning and that
> there are so many annoying questions that most users have clicked
> the OK button before they could read the message.

precisely
-- 
derek

More information about the ubuntu-users mailing list