Re: Use Cases and Requirements for Saving Files Securely

2009/11/12 Ian Fette (イアンフェッティ) <ifette@google.com>:
> 2009/11/12 Jonas Sicking <jonas@sicking.cc>
>>
>> 2009/11/12 Ian Fette (イアンフェッティ) <ifette@google.com>:
>> > This is really getting into fantasy-land... Writing a file and hoping
>> > that
>> > the user actually opens up explorer/finder/whatever and browses to some
>> > folder deep within the profile directory, and then double clicks
>> > something?
>> > Telling a user "click here and run blah to get a pony" is so much
>> > easier.
>>
>> So first off that only addresses one of the two attacks I listed.
>>
>
> Fair
>
>>
>> But even that case I don't think is that fantasy-y. The whole point of
>> writing actual files is so that users can interact with the files,
>> right? In doing so they'll be just a double-click away from running
>> arbitrary malicious code. No warning dialogs or anything. Instead the
>
> Why do you assume this? On Windows, we can write the MotW identifier, which
> would lead to windows showing a warning. On linux, we could refuse to chmod
> +x.

Ah, don't know enough about this feature so can't really comment. All
the information I found was regarding MotW on webpages, not on
executables.

/ Jonas

Received on Thursday, 12 November 2009 10:46:16 UTC