http://bugzilla.opensuse.org/show_bug.cgi?id=1202042 Bug ID: 1202042 Summary: PolicyKit and preventing social engineering attacks Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: slawek@lach.art.pl QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- PolicyKit should allow application to describe, why it needs certain privileges and consult this with community. Some applications in Android shown messages, which try clarify why it needs privileges. Why not integrate this mechanism into PolicyKit. Most people trust more application, when it show this kind of message without thinking if it does really do this task and need this privileges. We could solve this social engineering attacks by: 1. Allowing application to describe problem - description should be shown on PolicyKit agent. 2.Gather executable information, like hash, app name, etc. 3 Add button search in web database - PoliKit should search for gathered information and message 4. When user click on search in database and no result, add button consult on web forum - gathered information + message should be pasted on web forum Step 2: if software is malicious, PolicyKit agent would show warning Step 3: we open up web browser. User could consult and perform task again Why this way to attack? There is no way to generate many good looking description of problem. Attackers could write human-readable message, but in most cases do not have enough human resources to write messages in many languages and each with proper grammar. Also, user would be alerted, when we try to install font and PolicKit agent show something like that shown: Software Arial font installer requires UDisk 2 to take action: form /dev/sda1 into btrfs. Reason is: We need to install font. Sounds good, huh? Yes, attackers use social engineering to attack. He/She must found solution to asks user to give permission and showing reason message will increase security, in some cases. -- You are receiving this mail because: You are on the CC list for the bug.