Written by C.H.E.W.S. the 5 Feb 10 at 03:51.

I suggest sponsoring a controlled event in which people can win money based on how effective of an exploit they can come up with. The system being hacked should simulate a variety of users: click happy user, security expert, mid level user. Blender sponsors open movie project to improve blender so why can't we fund an event to improve security. (Participant will have to explain the exploit of course!) So summed up it is a pen testing the default configs and the systems ability to withstand different levels of user intelligence! Security for a mid level user is the most realistic target of course but an idiot can reveal tons of holes.

I suggest sponsoring a controlled event in which people can win money based on how effective of an exploit they can come up with. The system being hacked should simulate a variety of users: click happy user, security expert, mid level user. Blender sponsors open movie project to improve blender so why can't we fund an event to improve security. (Participant will have to explain the exploit of course!) So summed up it is a pen testing the default configs and the systems ability to withstand different levels of user intelligence! Security for a mid level user is the most realistic target of course but an idiot can reveal tons of holes.

Written by haydoni the 6 Feb 10 at 21:04.

If the user has downloaded an executable from a website, then when they try to install, before the install display a warning (something like): "installing software from the net can be insecure and that they may be better off installing one of the following **produce a search of similar applications and descriptions from the software centre based on the name (?) of the file which they have tried to install** from the secure repositories".

*********This could be exceptionally useful for ex-Windows users who are downloading .exe files!********

This would not only promote (or remind) repository use for the average/new user, but would only be one extra click for the determined/proficient user (who knows what they are doing). It could have a tick box saying: "next time don't display suggestions". If they choose to ignore this, that's their decision.

If the user has downloaded an executable from a website, then when they try to install, before the install display a warning (something like): "installing software from the net can be insecure and that they may be better off installing one of the following **produce a search of similar applications and descriptions from the software centre based on the name (?) of the file which they have tried to install** from the secure repositories". *********This could be exceptionally useful for ex-Windows users who are downloading .exe files!******** This would not only promote (or remind) repository use for the average/new user, but would only be one extra click for the determined/proficient user (who knows what they are doing). It could have a tick box saying: "next time don't display suggestions". If they choose to ignore this, that's their decision.

Written by houseworkshy the 14 Feb 10 at 14:40.

One could have an option to download to cache for scanning. This option could be chosen for any file type and especially for ALL installation methods. If the scanners find suspected malware there would be an option to upload to a data base where they can be checked. This feature would include update able white and blacklists to reduce false positives on heuristic scans. Thus should malware be found it could be removed before it can get at the system. For those who are at the development end looking at what has been uploaded this would also function as a resource; it's data base being, effectively, what any users who report and upload files, have found anywhere. In this way all users of the system are helping research exploits whilst keeping their machines safe. Sadly, we can rely on the malignant to find and develop the exploits without our help.

One could have an option to download to cache for scanning. This option could be chosen for any file type and especially for ALL installation methods. If the scanners find suspected malware there would be an option to upload to a data base where they can be checked. This feature would include update able white and blacklists to reduce false positives on heuristic scans. Thus should malware be found it could be removed before it can get at the system. For those who are at the development end looking at what has been uploaded this would also function as a resource; it's data base being, effectively, what any users who report and upload files, have found anywhere. In this way all users of the system are helping research exploits whilst keeping their machines safe. Sadly, we can rely on the malignant to find and develop the exploits without our help.

Written by himek the 22 Feb 10 at 21:33.

By default running an executable have access to all user's files (and more). One could write a simple bash script/executable that once launched wipes out entire user's home!

Promote languege/VM level sandboxing (ECMAScript, Mono, Java, what-not) for third party desktop add-ons like appletes, themes etc.

Implement partly sandboxed installations for untrasted software. Sandboxed application should only have a limited local storage initially (for example ~/.config/myapp, ~/.local/share/myapp). Once it tries to access files outside those boundaries user should be asked to allow it or not.

By default running an executable have access to all user's files (and more). One could write a simple bash script/executable that once launched wipes out entire user's home! Promote languege/VM level sandboxing (ECMAScript, Mono, Java, what-not) for third party desktop add-ons like appletes, themes etc. Implement partly sandboxed installations for untrasted software. Sandboxed application should only have a limited local storage initially (for example ~/.config/myapp, ~/.local/share/myapp). Once it tries to access files outside those boundaries user should be asked to allow it or not.