"Name" key value in desk. entry spec collides with file names, could misguide users?

Kalle Vahlman kalle.vahlman at gmail.com
Mon Mar 21 10:54:17 EET 2005


On Sun, 20 Mar 2005 19:25:17 +0000, Mike Hearn <mike at navi.cx> wrote:
> On Sun, 2005-03-20 at 18:55 +0100, Diego Calleja wrote:
> > Again, this is not a hypotetical situation.
> > This is what people has been observed to do
> > for years in "other platforms".
> 
> No, what we have observed is that it's extremely easy to impersonate
> people on the internet and that generally, people are trusting of email
> or files that appear to come from people they know.

This also opens up the question of how to make it seem like a person
_I_ know? Linux hardly has (as) vulnerable email clients that could be
compromised (this could be due to lack of trying, though) to send
trojans to my friends, and I refuse to believe that any Windows
machine would be hijacked to spew linux-only stuff around. Some
reverse-mailing to myself would be the only option, and that would
need my machine to already be compromised.

> Requiring the +x bit set on anything (not just .desktop files) does not
> give the user any more information than they already had, so it will not
> change the decision they make. It *will* increase their sense of
> frustration and helplessness if they're unable to figure out how to do
> what they want to do, but that achieves nothing except making people
> trust computers even less than they already do.

Annoying users is truly the most likely way to get no userbase from
the ordinary users (which are the target group of trojans etc).

People should NOT trust computers, but the reason should be that they
are wise enough to question the integrity of any source, not because
every now and then they get spooked by a warning that says "do this
and be sorry".

Education is the number one security issue, and secure ways to do
thing are only second (and setting +x helps neither).

> Producing something that people actually *use* to get things done
> requires stability. There are better APIs than POSIX out there. It
> doesn't matter. The value stability brings outweighs the value a better
> API would bring. It's a simple cost:benefit analysis, and in this case
> the cost is high and the benefit is low to non-existant.

I agree, to a point. When looking at the Windows case (lots of legacy
code there, some of which is even to circumvent bugs in 3rd party
software(!)) I can't help feeling that while the benefit really has
been a great one, the cost is grave indeed.
 
> I think this idea of people not caring or knowing about security is
> wrong. It doesn't apply in any other area of life: cars have
> immobilisers, houses have burglar alarms and cards have PINs.

Beg to differ, driving a car requires lots of consideration to
security. You wouldn't just let anyone walk in to your living room
either. Both of these are active duties, as is surfing the net and
reading email.

> Nobody blames stupid users for card fraud, do they? This is a rather nasty
> habit of IT workers alone.

Well, depending on the situation...

If you give your pin number to anyone or keep it on a post-it note
attached to your card, who else you can blame?

> Nobody suggests making it harder to buy things as a solution to card
> fraud - instead better security systems like the European Chip+PIN
> schemes are designed to replace signature checks.

True, and these are analogue to different signing schemes in
computers. On computers, the trouble just is that due to volume, every
little bit of software will not get signed. And then you get to the
"not signed, run anyway?"-problem again. Or the restricted environment
problem, which is probably worse (not being able to run software you
believe to be safe, but that has no signature sucks).

> Instead of writing off users as "clueless" and "idiots" as it's so
> tempting to do, how about we provide them with the information they need
> to make accurate decisions and strengthen security to make it less of a
> winner-takes-all situation if they make the wrong one?

And push for security-aware education in schools etc that teaches
secure email usage and web content "screening".

P.S. I'm guilty of using the word "stupid" instead of "uneducated".
I'm sorry for all involved.

-- 
Kalle Vahlman, zuh at iki.fi



More information about the xdg mailing list