From kde-core-devel Thu Aug 02 19:01:35 2001 From: Neil Stevens Date: Thu, 02 Aug 2001 19:01:35 +0000 To: kde-core-devel Subject: Re: Outstanding critical issue for KDE 2.2 X-MARC-Message: https://marc.info/?l=kde-core-devel&m=99677898210328 On Wednesday August 01, 2001 11:53, Andy Fawcett wrote: > Hi, > > I've snipped the entire body of comments from various people. Oh, and I > am not a core developer either, so feel free to drop this post in the > moderation process... > > First, I work for a company making commercial security products, so I am > not unbiased in this matter. > > From surveys carried out over the last few years, it has become very > apparent that it is not just the networked users who need to be secure. > It's not the multi-user systems either. It is everyone. > > Typical case. You have a laptop, in a nice case, and you leave it in > your car while you have lunch. What's that? Somebody stole it? Believe > me, it happens. According to one survey, 319000 laptops were stolen in > 1999 (ref http://www.ecompany.com/articles/mag/0,1640,9294,FF.html ). It > is not clear, but from reading the article it looks like these were US > cases. > > "So what", I hear you ask? "Most of them were Windows based. Nobody will > crack my linux password". > > That's bull. They don't even need to crack it, just take the HD out and > stick it in another machine, mount the partition, and read the data > straight off it. > > And if that hard drive has a cached copy of any sensitive data from a > HTTPS transaction, the owner is stuffed. > > Let's be proactive in security, not reactive. Close the bug now, because > it only takes one troll to post about it to slashdot and you can blow > away all the hard work people have done on KDE security. It's a lot easier to just take your credit cards to get the credit card numbers, than to take a HD out of a system. And once you assume an adversary has physical access to your box, you lose anyway. Sniffers get installed, and form-complete data becomes the least of your worries. -- Neil Stevens neil@qualityassistant.com Don't think of a bug as a problem. Think of it as a call to action.