[conspire] Autorun in GNOME/Nautilus

Nick Moffitt nick at zork.net
Wed Sep 28 15:04:57 PDT 2011

Rick Moen:
> Evince is a leading case of an application designed to handle public
> data (in its case, PDFs) that quickly became overfeatured (though not
> as horrifically as Acroread) and thus acquired a huge attack surface
> -- Evince's core code and _any_ of the large number of library
> dependencies it calls.  So, an AppArmor policy for it would contain
> this threat by saying exactly what it can read and write, where, such
> that the security controls to that effect are externally enforced by
> the kernel and Evince itself doesn't need to be trusted to do only
> intended activity and not get subverted and run amok under the
> influence of an aberrant data file sent to it from the Internet.

The sad part is, this kind of overfeaturedness is exactly the sort of
thing that Unix Philosophy proponents have been arguing *against* for
many years.  Alas, this particular ship has sailed, and AppArmor's
"firewall for access to local files" model appears to be the Least Bad
option for the decade we live in.

Right now the thing I fear most is the fact that every low-powered
device out there will soon have enough oomph to run Javascript-heavy
pages without missing an interrupt.  At that point the *only* people
left without JS on globally will be the tinfoil hat types like myself,
and you'll no longer be able to wave a "what about accessibility?" flag
or claim the poor can't afford JS.  

At that point, the Web is going to get a *lot* smaller for me, rather
like it did when people started dumping it for Facebook.

Information gladly given, but safety requires
avoiding unnecessary conversation.

More information about the conspire mailing list