One of the things that everyone remember the Windows NT security features include those that press the CTRL + ALT + DEL key to unlock the workstation (which walk in wardrobe can be enabled in the current even policy setting). This feature allows other programs can not respond to a particular combination of keys, there is a purpose walk in wardrobe of preventing the false lock screen. On the other hand, according to Martin Gräßlin's KDE team, X11 is I can not ensure adequate security in the X11 on the screen locker for too old named. X11 does not recognize the screen locker at the protocol level, walk in wardrobe X server can not determine whether the screen is locked. Things like the only privileged processes that operate as a screen locker is not present, walk in wardrobe or the same operation with other programs screen locker, it's possible walk in wardrobe to impede the locking of the screen. walk in wardrobe For example, just open the context menu in any window, the screen and the thing not be locked. In other words, can be any process that is connected to the X server to block the screen locker, it follows that it is also possible to act as a false screen locker.
Such vulnerabilities from X11 release initially, Wayland / Weston that the items 13 CVE X.Org exists published different display server to be discovered X11 bug that existed from big problem and it is either 1991 were fork from Northfield / Norwood Canonical, Ubuntu to greet the X11,25 anniversary walk in wardrobe announced that it will develop their own display server, new X server walk in wardrobe development project for Linux migration from X.org to Wayland in Fedora is considered "Wayland reason X11 screen locker is unsafe: "KDE 4.1 release tipster
-1
In order to release the screen lock, you must have a password. Certainly some sort of program is required, but you can not know the password simply start any program. But you can collect the password in a natural way by displaying the lock screen. Also in the general user privileges of process, be to disguise such as the lock screen of administrator user, It does not may be possible to obtain administrator privileges, the passwords of other users to impersonate the shared PC if the login screen The collection also it might be possible to. # Although password collection is possible because people who are also deceived not disguised in such a screen, more efficient if you can disguise will go up. # Can you say that camouflage Toka also types of the browser's address walk in wardrobe bar or dialog?
Parent walk in wardrobe comment
For screen that looks like is locked, before you enter the password, correct your opponent whether identification is determined by whether or not to respond to a particular key combination that CTRL-ALT-DEL, that's such as local OS than no sense only as a design of those with absolute authority to the keyboard, it is a story that. Whatever the Windows Remote Desktop, Regardless X, (to communicate with the X server) if the client process to process the password for unlocking, it will not be the first place that rely on local keyboard.
To begin with, the nature of the problem, which is a user humans, or whether the good correct process tell me the password to "Authentication" good Once you How is that (even apart from properly authenticated in keyloggers such as "eavesdropping" that have been be, but there is also a problem). (It is assumed networks and various hardware) hardware virtualization, for example, is available from an application on a Windows or iOS, the first place given the like if there is no physical keyboard, and Google Authenticator to drastically without a password [wikipedia.org], walk in wardrobe etc., such as by the TOTP authentication, or would not separate from the the only not about to provide a "key" is.
Here to Reply
Well, be starting the attack program, if prevent impersonation to the screen locker, I is that the user's password is protected. Not capture the contents of the key input and screen, wonder if say if there is a window of privileged mode. However, it needs to run the user to understand that the following, I am likely to need a significant amount of education. 1. window requesting a password is required to be "privileged mode". 2. You can create a window in privileged mode, only the pre-set program. 3. window walk in wardrobe whether privileged mode, the user I can judge performs "operation to confirm the privilege." 4. The user such as a screen locker, on the window that requires a password that is always carried out "operation to confirm the privilege", must enter the password. (Something intended to be protected by that protect the password, that there is also a problem. At the time it was executed the attack program, there is also a possibility that the things that I wanted to protect with a password has been Arakata taken.)
Parent comment
> First, Windows has been realized the above four points from the NT era. As "operation to confirm the privilege", walk in wardrobe or would be that there is a Ctrl + Alt + Del. as long as the user you are using to understand, and I think that it is a nice feature. But "operation to confirm the privilege" is, I think those inherently difficult. And programs that can be trusted enough to enter a password, the program can not be trusted, because is that distinguish it from the start the program you do not trust. Features such as Ctrl + Alt + Del, must be also be applied walk in wardrobe to such as when heard a password to sudo in terminal as well as screen lock. I do not have than have defended the X. Currently, at the time of allowing the execution and connection of programs that can not be trusted, you just think it would be no good. It would be true that X is obsolete. Such as in Wayland I expect.
by Anonymous Coward
By the way, the first place, but to impersonate the login prompt'm way to password exploitation, originally or rather the UNIX of malware, in a way me put code to login prompt disguised as a login script, regular login prompt user is correct account password input login script at login successful run spoofed login prompt display user Dattari flow me again correct account password input take success to misunderstand mistyped. Or not 's This is it and is the "Tteyuu first put the wrong password" is solution. Well, I do not go to do so that's GUI in the CLI So things.
This. Even if he did but if from design to X11, nor trying to .... is if you design concept is said he Nante bad and also security basis to be used bandwidth with respect to things that have been made on the assumption that not only used by internal LAN. Even there is no encryption of route Without tunneling ssh. In the non-XDMCP, because there is no interface that enables walk in wardrobe the activation of the X client on your own, do not do not depend on other remote access protocol. And the inability to control their own also can be a security hole on the design. walk in wardrobe
Parent comment
by Anonymous Coward on 20 時 04 分 January 31, 2015 (# 2753587)
Or, xhost the + is not to UNIX machines, such as those used to let others, walk in wardrobe I guess what you use in this, such as pointed out is an issue critical applications?
by Anonymous Coward
While I personally disagree, it just does not hold for X11. If only clients of one user were connected to the X server one could say so. But X11 allows clients from other users and even remote clients.
Propaganda of Wayland? (Score: 0)
Loading ...
No comments:
Post a Comment