From kde-devel  Thu May 21 13:17:21 2009
From: dantti85-dev () yahoo ! com ! br
Date: Thu, 21 May 2009 13:17:21 +0000
To: kde-devel
Subject: KLineEdit Security
Message-Id: <551298.97386.qm () web32104 ! mail ! mud ! yahoo ! com>
X-MARC-Message: https://marc.info/?l=kde-devel&m=124291255020925


Hi,
it all started with the "Security problems with sudo" thread
that pointed me to http://www.geekzone.co.nz/foobar/6229
and made me think a bit about PolicyKit security.

PolicyKit allows a better "containment" than using sudo
since it can only do predefined tasks, but when the problems
comes to key logging what the user is typing there not
much that we can do to prevent it from becoming root.
Well actually in my idea there is, i didn't get deep into details
but i believe this could really work.

The idea is quite simple, when some application request
a policy-kit authorization dialog for you prompting any
password PolicyKit-kde would put some trash keys
into the user password. For example
The user pass is "banana";
When he types b we fake type "@#FfDssfd3$", 
then a and we again "dfsdflk"
....
Then the "banana" password
would be somehow lost in a very VERY long string.

What i need to know now, if typing "fake" key pressed
is trackable (if the keylogger would find out what keys
our app pressed, and what keys the user pressed).

Talking about this with Dario Freddi he had a better idea
that would make all kde applications using KLineEdit
(that's why the subject), having this feature enabled
when using type password. So the actual hack would
go to KLineEdit instead of PolicyKit...

What do you guys think? Have i gone too far? Is this
possible? If so does someone candidates itself to help
hacking (since my time is short :P )

Cheers,
Daniel.



      Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<