John: > How is this any different from other tools like Firefox? > An end user can add plugins and Add-ons to Firefox. > Thanks,
I wasn't trying to suggest that it is a problem to be able to add plugins (even malicious ones). It just seemed to me that Henry was a little confused about how to approach answering the "Security" question on the ARC form, so I was trying to highlight some issues that probably should be mentioned. At any rate "None" seems an insufficient answer, based on this discussion. The original paperwork for this case was not very clear about the plugin interfaces, or that end-users could add plug-ins themselves. So I have just been trying to tease out what seems to be missing information. For all I know, you can install plugins over the network from the client machine, so I am hoping that in asking these questions Henry will provide us with more complete information. Brian > On Sat, 2008-08-16 at 10:23, Brian Cameron wrote: >> Henry: >> >>> .gkrellm2/plugins is for gkrellm client, it is used for gkrellm running >>> to show the status of the local machine. >>> The ~/.gkrellm2/plugins-gkrellmd/ is used to store server plugins for >>> user, so user can add some his own plugins, and then run gkrellm client >>> remotely to get the relative information. >> If I trick a user into installing a plugin which allows them to monitor >> my keyboard strokes, could such information be sent to the remote >> client? >> >> What, if anything, can a system administrator do to prevent such attacks >> from being possible. Can the system administrator turn off the feature >> which allows users plugins to be functional? Is this feature off or on >> by default? >> >> Brian >
