lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081103144201.GA3847@richter>
Date: Mon, 3 Nov 2008 15:42:02 +0100
From: Simon Richter <Simon.Richter@...yros.de>
To: n3td3v <xploitable@...il.com>
Cc: n3td3v <n3td3v@...glegroups.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Securing our computers?

Hi,

> does anyone have good ideas on how to secure our computers better? is
> it a problem at the user end, or a problem at the corporate and
> government end?

It's a problem at the geek end, i.e. with the people who actually build the
systems. We like our systems to be incredibly customizeable and powerful,
so we build them this way.

For example, when the X Window System reports an input event to an
application, a flag tells the app whether the event is "synthetic", i.e.
was generated by another program rather than directly by the user. The
mighty xterm knows to ignore such events and offers me a "secure input
mode" where it grabs the keyboard so it can bypass any filtering programs
(such as my window manager, which filters out Ctrl-T as the command key,
and generates a synthetic Ctrl-T for the "Ctrl-T t" sequence).

Now, people have felt the desire to automate various tasks in secure
applications, and created the XTest extension that allows a client that
knows about the extension to generate events with "synthetic" set to false.

The danger is not that any of the technologies here is inherently insecure,
it is that their combination is. And this is the way to more secure
computing: isolation by default.

Of course, that is not "convergence", not "Web 2.0". And certainly not
sexy.

   Simon

Download attachment "signature.asc" of type "application/pgp-signature" (316 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ