Re: Concrete ideas for the December-March OPW?
- From: Hans Petter Jansson <hpj copyleft no>
- To: Michael Catanzaro <mcatanzaro gnome org>
- Cc: Safety and Privacy Team <safety-list gnome org>
- Subject: Re: Concrete ideas for the December-March OPW?
- Date: Thu, 30 Oct 2014 02:23:07 +0100
On Wed, 2014-10-29 at 18:30 -0500, Michael Catanzaro wrote:
There are a couple of things I'm not quite sure about:
* Prompting. I think it's reasonable in this case, but not everyone
agrees.
You don't want to prompt the user to accept the device or not. The user
plugged it in and wants to use it. The purpose of the prompt I suggested
is to discover whether the device claims to be the thing it looks like
it is.
I wasn't suggesting a specific wording or UI design. The user can
trigger acceptance or rejection based on choosing the right picture or
what have you. I like your idea.
I'm curious as to how we solve the issue of cameras, phones etc.
identifying themselves as mass storage devices, though. Even for
legitimate devices, there is often not a good correspondence between
what the device claims to be and its physical appearance.
* How broad is the "simple HID" category? Is it always safe to accept
these devices?
No it's not safe, see
https://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe
With password guessers and potential issues in kernel drivers, that
pretty much leaves us with the whitelist. The use case where you switch
to a different keyboard on the lock screen seems to be unsupportable,
then -- the best we can do is show a message asking the user to unlock
the session before changing input devices. Probably not a huge issue in
any case.
--
Hans Petter
[
Date Prev][Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]