[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Automatically executing files
From:       Joerg Habenicht <habenich () planetsserver ! com>
Date:       2001-05-28 7:28:40
[Download RAW message or body]

On Mon, 28 May 2001, Martijn Klingens wrote:

> On Sunday 27 May 2001 23:33, Waldo Bastian wrote:
> >
> > Hey, I don't care if people do stupid things, but that doesn't mean we
> > should support such stupid actions. What's next? a button for "Delete
> > entire harddisk"?

Hey Waldo,
cool idea ;-)

> 
> Hmmmm, I'm not exactly sure whether this is a 'stupid action' or not. I can 
> see some truth in both arguments.
> 
> 1) A user downloaded a file that is an executable and wants the file to be 
> executed. Currently this means setting permissions from konq (which is fine 
> IMO) or running chmod +x (which is perfect for me, but not for many newbies). 
> This alternative of detecting executable shell script, ELF binaries or 
> whatever by mime type and _asking_ the user if he wants to run the file might 
> be a good option. Maybe better would be adding an option in Konq's service 
> menu "make executable" and keeping the default action like it is now, at 
> least for files with a proper app bound to them, like shell scripts. If a 
> user sais "no", remember his choice and don't ask again for the given file.
> 
> 2) A user downloaded malicious content and clicks on it - either by accident, 
> or by trusting content that shouldn't be trusted. In this case we don't want 
> to set the 'x' bit, which is many people's concern.
> 
> I'm not certain if the potential security risk is actually a risk, since 
> 'chmod +x worm.sh; ./worm.sh' would be just as disastrous as just clicking it 
> from konq. _IF_ users would act more stupid with this feature we should not 
> implement it, IMO. It is, however, a _BIG FAT "IF"_ - I'm not that sure that 
> it decreases security.

Hi Martijn.

There is indeed a difference in clicking it right away and having to save
it and execute it yourself.
LoveYou & friends easily spread out the world and took down some
mailservers because JoeSixpack got an email and clicked to look the
picture (or got it "displayed at once). This action took 8 seconds from
getting the mail to spreading more viruses to the world.
The KDE solution gets the user to do this action manually which takes on
my estimation 30-60 sec.
While this happens some more KDE users than Exp~~~er get aware of the
name or content of the downloaded file and stop the execution.

I'm not saying that this increased time stops users from executing virus
code, those people just shoot themselfes in their foot some seconds later.

But the increased time between getting the file and spreading new virus
from the computer slows down spreading the virus. This way warning get
through and the virus can be hunted more easily.

I'm strongly in favour of the slow way.
Some more seconds don't slow down users that bad, but it makes the job of 
email viruses and download viruses harder.
Please no one second click for an easy executing.



cu,
Joerg
/who thought this discussion was settled 8 months ago.

-- 
THE full automatic planets host
:-)                            http://www.planetsserver.com

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GE/CS/IT d- s+:- a- C++ ULS+++>++++ P++ L+++>++++$ 
E W++ N+(+++) !o? !K? w--(---) !O(++) !M !PS !PE !Y? PGP+ 
t-- 5-- X-- tv+ b++ DI+() D-(+) G>+ e++>+++ h+(*) r% y? UF
------END GEEK CODE BLOCK------
"Alle Menschen sind gleich !"
   "...mir jedenfalls"        Gerd Show

[prev in list] [next in list] [prev in thread] [next in thread]