'Re: [PATCH] .desktop security ++'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: [PATCH] .desktop security ++
From:       Michael Pyne <mpyne () purinchu ! net>
Date:       2009-02-22 16:15:58
Message-ID: 200902221115.58808.mpyne () purinchu ! net
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Sunday 22 February 2009, Randy Kramer wrote:
> What is the security concern that prompts the suggestion to open the
> property dialog in the first 10 minutes after creating it?  Is it a
> concern that some unauthorized person walks up to a PC, installs
> something insecure and then proceeds to use it?

I just figure that if we're worried about the scenario where someone is 
tricking into opening a trojan .desktop file, the creation time is the only 
bit of meta-data on the file which can't be controlled by the attacker, and 
users who have had their own launchers would presumably have taken more than 
10 minutes to upgrade from 4.2.  Just a thought is all.

Regards,
 - Michael Pyne

[Attachment #5 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" \
"http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style \
type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Droid Sans \
Mono'; font-size:10pt; font-weight:400; font-style:normal;">On Sunday 22 February 2009, Randy Kramer \
wrote:<br> &gt; What is the security concern that prompts the suggestion to open the<br>
&gt; property dialog in the first 10 minutes after creating it?  Is it a<br>
&gt; concern that some unauthorized person walks up to a PC, installs<br>
&gt; something insecure and then proceeds to use it?<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I just figure that if we're worried about \
the scenario where someone is tricking into opening a trojan .desktop file, the creation time is the only \
bit of meta-data on the file which can't be controlled by the attacker, and users who have had their own \
launchers would presumably have taken more than 10 minutes to upgrade from 4.2.  Just a thought is \
all.<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; \
                margin-right:0px; -qt-block-indent:0; text-indent:0px; \
                -qt-user-state:0;"><br></p>Regards,<br>
 - Michael Pyne</p></body></html>


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic