Do you think this is a security risk and if not is it a bad UI decision?

Michael Scherer misc at zarb.org
Sun May 5 00:47:31 UTC 2013 

Le samedi 04 mai 2013 à 15:22 -0700, Dan Mashal a écrit :
> On Sat, May 4, 2013 at 2:37 AM, Michael Scherer <misc at zarb.org> wrote:
> > and I think that even Bruce Schneier have gave his opinion in favor of
> > the proposal :
> > http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html
> > http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html
> 
> Which he later took back.

As said to Rahul, that's what he say in the 2nd link I gave. Do people
read what I say before replying to me ?

> > I can add to that that I have seen more than once people setting a
> > password which was not the one they believed due to  :
> > - keyboard layout ( ie, qwerty vs azerty in France )
> > - small usage difference with Windows way, again on azerty keyboard
> > ( people using capslock on french keyboard to type numbers while they
> > should use shift, as capslock just type capital letter like À or É and
> > not 0 or 2, and if you do not understand, just look on the web to
> > compare how different it is from qwerty-based keyboard )
> 
> The installer should detect the keyboard automatically. 

I have yet to see how the installer can detect the layout of a keyboard,
because that would solve much issues we have a work with luks passwords
and grub.

> In fact you can even tell it what type of keyboard you have on the
> first screen.
 
And if you had to actually choose the keyboard ( as I assume you don't
since that's good by default for you ), you would know that there is
sometime several variants, up to sometime 3 or 5 variants per country
( see swiss or italian ones in gnome ).

I do not have issues with keyboard myself, but I can see why there is
some case where some peoples may not know what to choose ( even if
things greatly improved since last years when we had 8 unneeded keyboard
variants for France )

And I am not sure that there isn't some country with more than 1
national layout ( depending how you interpret this map :
http://en.wikipedia.org/wiki/File:Latin_keyboard_layouts_by_country_in_Europe_map.PNG ).

Again, the situation may not be as simple as people believe for some
users. How much, no idea. Should we care, I think we should but maybe
not everybody agree. But I think we cannot say the issue do not exist,
some people will type their passwords wrong. 

> > Or I could also speak of the small non standard keyboard such as macbook
> > one where ~ or | are not printed and where using the wrong keyboard
> > could result in wrong characters if you are unaware of the problem.
> 
> I think people that have Macs have learned how to use their slightly
> different keybaords by now.

I guess then the guy I have seen today having this same exact issue on
Ubuntu on his macbook didn't got the memo.

> > But the discussion is not about that, even if I think the rational
> > around the defaults.
> > Showing by default will help people who are less familiar, hidden by
> > default will satisfy people who think that's a security issue.
> 
> Showing by default helps no one.

Then I think you are not doing enough support, or maybe you are more
lucky than me with people you choose/have to help and support.

> > Hidden by default and showing it on demand is likely to still be a
> > hindrance to people who may not know they type their password wrong
> > ( because I think most assume that it will work fine, we are not to a
> > point where people assume by default this will fail ).
> 
> Straw man argument.
> 
> > So what about hiding on demand, and having it visible by default ? This
> > way, people who prefer to have it hidden will be happy, and we are still
> > friendly to non technical users.
> 
> Absolutely wrong.

What part is wrong, that people that prefer to have it hidden will not
be happy, or that this will not make some less technical user happy ?

Cause I can find a few people that would be happy, just read the
slashdot thread to find some of them ( so you cannot exactly say they do
not exist ). Do not get me wrong, I would personally have been as
surprised as you were if I did a installation of F19, and had no problem
with the old way. But I can see people who would benefit from the
change, and what the reasoning was.

> Why can't there  be a wider community approval be able to vote on
> things like this? As I stated earlier there are a list of things that
> have changed without any real widespread community approval.

Because we are Fedora, not reddit.

For 1, voting has some inherent issues like "who should be able to
vote", and 2, who decide what can and should be set to be voted 3) who
is volunteer to organize them ?

In fact, if you are so keen on having community approval, you should
lead by example, install a voting application on openshift or anywhere,
and start doing vote for your own work, so you will see if that work, if
you feel more legitimate, etc, etc. 
Just follow
https://github.com/openshift-quickstart/limesurvey-quickstart and that's
it.

That would be fair to apply what you are preaching and to first see how
it work on yourself before proposing the changes to others who didn't
asked for it, no ?

-- 
Michael Scherer

More information about the devel mailing list