On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri rati...@mit.edu wrote:
On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
I think you didn't understood the content of the advisory.
If there are 10 non-root users in an Ubuntu machine for example,
if user 1 is using pidgin with OTR compiled with DBUS,
On 02/27/2012 11:23 PM, devn...@vonage.com wrote:
I believe that clarification is in order.
Indeed it is. The original post mentions a same-user attack
vector which is very misleading as to what the real problem here is.
And it boils down to this:
Once a process sends private info over DBUS
On 02/28/2012 12:14 AM, Dimitris Glynos wrote:
On 02/27/2012 11:23 PM, devn...@vonage.com wrote:
I believe that clarification is in order.
Indeed it is. The original post mentions a same-user attack
vector which is very misleading as to what the real problem here is.
And it boils down to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jann Horn wrote:
2012/2/25 Dimitris Glynos dimit...@census-labs.com:
Pidgin transmits OTR (off-the-record) conversations over DBUS in
plaintext. This makes it possible for attackers that have gained
user-level access on a host, to listen in on
On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
I think you didn't understood the content of the advisory.
If there are 10 non-root users in an Ubuntu machine for example,
if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
can see what user 1 pidgin conversation.
This