Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Wed, 5 Sep 2012 20:19:03 -0500 Derek Martin <invalid at pizzashack.org> wrote: > Even if this isn't your situation, the fact is your session contains a > lot of state, and having to recover that state even every morning is > counterproductive. Everything I do more than twice by hand in short order gets automated because I don't have time to waste reconfiguring the session every. single. day. > [*] Where "likely" means that the risk of such an intrusion is > significant enough that the cost of failure justifies the cost of > protection. The loss of productivity this kind of nonsense causes > adds up fast, almost certainly measuring in the millions of dollars > annually. As I just noted, the kind of environment under discussion is more or less open clusters of workstations where anyone can sit down and use any node. Physical security is effectively nonexistent so you need to rely on logical security, things like strong encryption on authentication (like Kerberos), maybe N-factor authentication, encrypted home directories (like EncFS or ecryptfs), and so forth. Remote access (like ssh) is disabled. So, you sit down in the morning, log in, get all your software tokens set up. Everything good. And you run up an xlock and go lunch. Me, I see you've done this, sit down, switch to a text console and log in myself. I now have access to your unlocked home directory modulo whatever file permissions and ACLs you may have set. Since you've been sloppy with your session security I will assume for the sake of discussion that you've been similarly sloppy with your file permissions -- the whole directory is encrypted after all. I may not have write access to anything in your $HOME but I can copy all or most of it out and peruse it at my leisure. If you had logged out instead of locked the screen then your home directory would have been unmounted leaving only the encrypted version visible. There's your clear and present threat thwarted by simply logging out. -- Rich P.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |