[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       Neil Stevens <neil () qualityassistant ! com>
Date:       2001-08-02 19:01:35
[Download RAW message or body]

On Wednesday August 01, 2001 11:53, Andy Fawcett wrote:
> Hi,
>
> I've snipped the entire body of comments from various people. Oh, and I
> am not a core developer either, so feel free to drop this post in the
> moderation process...
>
> First, I work for a company making commercial security products, so I am
> not unbiased in this matter.
>
> From surveys carried out over the last few years, it has become very
> apparent that it is not just the networked users who need to be secure.
> It's not the multi-user systems either. It is everyone.
>
> Typical case. You have a laptop, in a nice case, and you leave it in
> your car while you have lunch. What's that? Somebody stole it? Believe
> me, it happens. According to one survey, 319000 laptops were stolen in
> 1999 (ref http://www.ecompany.com/articles/mag/0,1640,9294,FF.html ). It
> is not clear, but from reading the article it looks like these were US
> cases.
>
> "So what", I hear you ask? "Most of them were Windows based. Nobody will
> crack my linux password".
>
> That's bull. They don't even need to crack it, just take the HD out and
> stick it in another machine, mount the partition, and read the data
> straight off it.
>
> And if that hard drive has a cached copy of any sensitive data from a
> HTTPS transaction, the owner is stuffed.
>
> Let's be proactive in security, not reactive. Close the bug now, because
> it only takes one troll to post about it to slashdot and you can blow
> away all the hard work people have done on KDE security.

It's a lot easier to just take your credit cards to get the credit card 
numbers, than to take a HD out of a system.

And once you assume an adversary has physical access to your box, you lose 
anyway.  Sniffers get installed, and form-complete data becomes the least 
of your worries.

-- 
Neil Stevens
neil@qualityassistant.com

Don't think of a bug as a problem.  Think of it as a call to action.

[prev in list] [next in list] [prev in thread] [next in thread]