undefined | Better HN

0x09y ago· 2 in thread

No respectable package would put up a fake sudo prompt only to stash away your password for later use.

It's a good thing Dropbox isn't doing that, then.

Then please explain how it manages to set the accessibility privilege at every login after the user explicitly revokes it. I can see only two options:

1) the Dropbox client stores the password and uses it to hack the accesses db at every login.

2) the Dropbox client runs as root and does the same thing.

Both options are simply terrible from a security point of view

2 more replies

new2999y ago· 1 in thread

It's slightly different, because Dropbox board members support warrantless surveillance: http://www.drop-dropbox.com/

amenod9y ago

This is not the main difference (which is that apt packages are checked by package maintainers), but thanks for sharing the link, didn't know that. It makes this hack even more serious.

amenod9y ago

There's a world of difference, as long as you are using only default repositories (which you should). Apt itself is root, of course, but it is (or should be) trustworthy. All other apps never see root access unless they need it - and if it is needed, then the package maintainer has checked the package to make sure it only uses root when necessary. Kind of like Apple checking apps on AppStore.

4ad9y ago

Linux packages come from the distribution and are controlled by the distribution, not some random 3rd party business.

0 comments

0 comments