2009/2/14 Peteris Krisjanis <pec...@gmail.com>: > 2009/2/14 Vincenzo Ciancia <cian...@di.unipi.it>: >> On 14/02/2009 Felipe Figueiredo wrote: >>> As others said, more than once in this thread, the change is >>> reversible. >>> There will be a package to install so you don't have to edit your >>> xorg.conf. >> >> I will keep myself informed but I expected that ubuntu-devel-discuss was >> also a place to discuss the ubuntu development, involving high-impact >> changes. My mistake, so I will keep myself informed. >> >> However, it seems to me that nobody is getting the point about fake >> login screens: if I am an *user* of somebody else's network, how can I >> protect myself from another *user* faking a login screen, used as the >> only running X application, and stealing my password? > > You have evidence that such scenario could happen or even is happened? > Or you just speculate? Anything can be faked in this world, specially > on computers.
It's known as the secure attention key. http://www.google.com/search?q=%22secure%20attention%20key%22 and yes this is a real attack with lots of history. When I was in University some of my friend were competing to collect the largest number of passwords, F >> Under some windows versions, I can use ctrl+alt+delete. I bet the mac >> has something similar, > > Nope, it doesn't (as far as I know, and I have worked with OS X as > sysadmin for five years). And Windows Ctrl+Alt+Delete have absolutely > different meaning than anti-faking measure. > >> and Xorg traditionally had ctrl+alt+backspace >> (even though, it also kills the session as a nice side effect). Now, you >> have to consider that even an experienced system administrator may not >> notice the change when he will install next ubuntu on the client >> machines of a computing lab, or even worse when upgrading to it. Fancy >> an unexperienced system administrator as there are many. > > Well, unexperienced system administrator would allow box to contain > trojan to get your password anyway. Believe me, faking login screens > is not a way someone would steal your password, unless there is no > other way. > >> I will surely write my own fake gdm as an exercise just in case I become >> an user of such an admin :) Because of statistics, you know, if I carry >> a bomb there can't be another bomb on my plane. > > Strawman argument. > >> If the solution is "currently, ubuntu jaunty is vulnerable to this >> problem", let's just admit it and make it public in the release notes at >> least. So that people will know and avoid leaving the default >> configuration on clients. > > No, Jaunty simply won't have C-A-B feature enabled by default. Simple > as that. Release notes doesn't have such speculation as "OMG, visual > interface have changed, someone could use it to steal information from > people". > >> Personally I would love that the power button returned to gdm, and that >> gdm created a new X session (like for the "guest login" use case) for >> every login, without disappearing, and occupying a fixed tty (the one >> the power button would return to). In that case, gdm could also offer a >> pre-loaded and not-swappable emergency shell that administrator may >> access. However, this *really* needs a blueprint so for now is there any >> other solution? >> > > Yes, this *really* need blueprint just for a reason - it is how > world-shattering changes are introduced into Ubuntu. Disabling C-A-B > by default was blueprint for two years. This is how decision making > happens. > > Don't get me wrong - I know that changing features is painful process > of some of us, but as far as I have experienced with Ubuntu, it is > always pays back in long term. Introduction of compiz broken a lot of > setups, but Hardy released with nice desktop effects tested for some > time. NetworkManager 0.7 was introduced as main network configuration > tool. Sure, I was annoyed, even angry. But I took time to test it and > understand it and now I admit that it is a future. > > There is a blueprint already for dealing with C-A-B without disabling > it and I hope it will find a way into Jaunty+1. And that is how system > should work. > > Cheers, > Peter. > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
