[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081103144201.GA3847@richter>
Date: Mon, 3 Nov 2008 15:42:02 +0100
From: Simon Richter <Simon.Richter@...yros.de>
To: n3td3v <xploitable@...il.com>
Cc: n3td3v <n3td3v@...glegroups.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Securing our computers?
Hi,
> does anyone have good ideas on how to secure our computers better? is
> it a problem at the user end, or a problem at the corporate and
> government end?
It's a problem at the geek end, i.e. with the people who actually build the
systems. We like our systems to be incredibly customizeable and powerful,
so we build them this way.
For example, when the X Window System reports an input event to an
application, a flag tells the app whether the event is "synthetic", i.e.
was generated by another program rather than directly by the user. The
mighty xterm knows to ignore such events and offers me a "secure input
mode" where it grabs the keyboard so it can bypass any filtering programs
(such as my window manager, which filters out Ctrl-T as the command key,
and generates a synthetic Ctrl-T for the "Ctrl-T t" sequence).
Now, people have felt the desire to automate various tasks in secure
applications, and created the XTest extension that allows a client that
knows about the extension to generate events with "synthetic" set to false.
The danger is not that any of the technologies here is inherently insecure,
it is that their combination is. And this is the way to more secure
computing: isolation by default.
Of course, that is not "convergence", not "Web 2.0". And certainly not
sexy.
Simon
Download attachment "signature.asc" of type "application/pgp-signature" (316 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists