From kde-core-devel  Sun Feb 22 16:15:58 2009
From: Michael Pyne <mpyne () purinchu ! net>
Date: Sun, 22 Feb 2009 16:15:58 +0000
To: kde-core-devel
Subject: Re: [PATCH] .desktop security ++
Message-Id: <200902221115.58808.mpyne () purinchu ! net>
X-MARC-Message: https://marc.info/?l=kde-core-devel&m=123531940822294
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--nextPart1798457.sKXelz3QDg"

--nextPart1798457.sKXelz3QDg
Content-Type: multipart/alternative;
  boundary="Boundary-01=_+oXoJleXpaeH4G1"
Content-Transfer-Encoding: 7bit

--Boundary-01=_+oXoJleXpaeH4G1
Content-Type: text/plain;
  charset="iso-8859-6"
Content-Transfer-Encoding: quoted-printable

On Sunday 22 February 2009, Randy Kramer wrote:
> What is the security concern that prompts the suggestion to open the
> property dialog in the first 10 minutes after creating it?  Is it a
> concern that some unauthorized person walks up to a PC, installs
> something insecure and then proceeds to use it?

I just figure that if we're worried about the scenario where someone is=20
tricking into opening a trojan .desktop file, the creation time is the only=
=20
bit of meta-data on the file which can't be controlled by the attacker, and=
=20
users who have had their own launchers would presumably have taken more tha=
n=20
10 minutes to upgrade from 4.2.  Just a thought is all.

Regards,
 - Michael Pyne

--Boundary-01=_+oXoJleXpaeH4G1
Content-Type: text/html;
  charset="iso-8859-6"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Droid Sans Mono'; font-size:10pt; font-weight:400; font-style:normal;">On Sunday 22 February 2009, Randy Kramer wrote:<br>
&gt; What is the security concern that prompts the suggestion to open the<br>
&gt; property dialog in the first 10 minutes after creating it?  Is it a<br>
&gt; concern that some unauthorized person walks up to a PC, installs<br>
&gt; something insecure and then proceeds to use it?<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I just figure that if we're worried about the scenario where someone is tricking into opening a trojan .desktop file, the creation time is the only bit of meta-data on the file which can't be controlled by the attacker, and users who have had their own launchers would presumably have taken more than 10 minutes to upgrade from 4.2.  Just a thought is all.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Regards,<br>
 - Michael Pyne</p></body></html>
--Boundary-01=_+oXoJleXpaeH4G1--

--nextPart1798457.sKXelz3QDg
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEABECAAYFAkmhej4ACgkQqjQYp5Omm0rXaQCgzSqLTTT5kuBftOW0Ea8f01Jl
sZQAoKz6azBPUfg8KERsB4dX5nbRDDvx
=m2Su
-----END PGP SIGNATURE-----

--nextPart1798457.sKXelz3QDg--