[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       Andreas Pour <pour () mieterra ! com>
Date:       2001-08-02 23:38:14
[Download RAW message or body]

Rolf Magnus wrote:
> 
> On Wednesday 01 August 2001 23:32, Neil Stevens wrote:
> 
> > So disable something potentially useful, for the 5% or whatever of people
> > using KDE in multiuser environments?  This isn't a "security" problem for
> > a single-user desktop.
> 
> So you don't want to disable something potentially dangerous, just for the 5%
> or whatever of people that are too lazy to type in their credit card number
> more than once?

Hi,

Are you OK with the number-compromise then?

> KDE and Unix is a multiuser environment, and as such, it _must_ provide
> enough security for both muti-user and single-user desktos.

I'm not sure how multiuser affects it.  The point is to protect user
information with user permissions; once that is broken I think on most
user's systems a CC number is not the most personal thing there.

Also, the underlying assumption I don't agree with is that HTTP data is
somehow less private/secure than HTTPS data.  Now that we move to
IPv6Sec HTTPS might just go away.  Other people have VPN (like SSH
tunnel over HTTP) solutions.  In short, HTTP does not mean it's not
encrypted.  Moreover, plenty of confidential information gets passed
around using HTTP (and unencrypted email for that matter).  Would you be
happy if your privte mbox is sent to the world?  I'd much rather have my
CC numbers be published, I can cancel those.

> And someone could still break into your house and get that data because it's
> unencrypted on your disk. 

Sure, but it's impractical to try to setup software on a typical-user
system to protect against that.  Intelligence agencies do this, users
won't go through the necessary hassle (that's a convenience/security
trade-off).

> Or think about a virus that gets your
> autocompletion history and sends it to a server over the Internet.

There are files on my system I'd be a lot more worried about.
 
> > OK, I made up that number.  But the relative number of multiuser vs
> > singleuser KDE installs should determine what case we optimize for.
> 
> Please, don't treat security as something unimportant that can be ignored for
> convenience. Microsoft does this, and it's the reason why I haven't done
> anything in the Internet under Windoze for the last two years. It's just too
> insecure.

Well, if you are really security conscious, you don't network your
computer.  You certainly don't send your CC number to an e-commerce
site, you have no idea how they protect it on their end (even using a
credit card in a restaurant can led to abuses of the card, as has
happened to me more than a few times, does this mean we should stop
using credit cards?).

BTW, I don't see CC numbers as being any different from SSL cookies. 
How are those stored?  What prevents some "virus" form sending your SSL
cookie files to itself?  (I note there that the SSL cookie can easily be
a gateway to far more personal/private info than CC numbers, such as
medical records and so).

Also, does the user really understand that in network-transparent
operations a local copy of a file is made?  Maybe there is confidential
data in that?  Maybe network transparency should be disabled by default?

Also, for example, an image may be private.  Someone may delete an image
and not know Konqueror or whatever created a thumbnail on disk
somewhere.   Should this feature also be disabled?

This all leads up to my oft-stated view that you can't deal with
security/privacy in an ad hoc manner.  Security/privacy needs a
system-wide approach, as your security/privacy is only as strong as your
weakest link.

Also, I think this discussion has suffered from a failure to distinguish
between "security" and "privacy".  The security is breached when the
virus gets on the machine, not when it sends the information -- even if
the virus does absolutely nothing when it gets a user account, there
still has been a security breach.  Sending the data is a privacy
violation which occurs after the breach.

Security is best dealt with rationally, rather than on emotion, which is
what I see this debate having become.

Ciao,

Dre

[prev in list] [next in list] [prev in thread] [next in thread]