Hi, > does anyone have good ideas on how to secure our computers better? is > it a problem at the user end, or a problem at the corporate and > government end? It's a problem at the geek end, i.e. with the people who actually build the systems. We like our systems to be incredibly customizeable and powerful, so we build them this way. For example, when the X Window System reports an input event to an application, a flag tells the app whether the event is "synthetic", i.e. was generated by another program rather than directly by the user. The mighty xterm knows to ignore such events and offers me a "secure input mode" where it grabs the keyboard so it can bypass any filtering programs (such as my window manager, which filters out Ctrl-T as the command key, and generates a synthetic Ctrl-T for the "Ctrl-T t" sequence). Now, people have felt the desire to automate various tasks in secure applications, and created the XTest extension that allows a client that knows about the extension to generate events with "synthetic" set to false. The danger is not that any of the technologies here is inherently insecure, it is that their combination is. And this is the way to more secure computing: isolation by default. Of course, that is not "convergence", not "Web 2.0". And certainly not sexy. Simon
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/