[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Email based attack on University

On Fri, Oct 04, 2019 at 10:11:52AM +0100, Brian wrote:


> > Yes, "our" security story is way better than theirs [...]

[edit: I forgot to put "theirs" in quotes]

> A single reliable, well-documented and repeatable example of a problem
> caused by pressing enter or clicking on a mail would go a long way to
> wipe the smile of my face.

That's not my goal, anyway. Smiles are like sunshine, so why would
I want to wipe them?

But still: every "code execution" escape in your MUA paired with a
privilege escalation (or some social-engineering equivalent like
"click here to install shiny package) is an example. And "we" have
had bunches of those.

> User files are not necessary for the health of the system.

But they're the those which really count: after all, I can reproduce
the system easily.

Of course, smart users compartmentalize the risk: as an example,
my tax declaration is done under a different user (for one, it's
somewhat sensitive data, for the other, my tax overlords force
me to use a browser with all gates open, which I consider as
inherently insecure, so I prefer to keep things separate. And
this separation is helped [1] by the system's integrity.

Others wanting to go the extra mile do QubesOS or something
similar. There's more than one way to do it.

All in all, smugness amounts to underestimate your enemy.
And, as Sun Tzu taught us long ago, that's a bad idea.


[1] Some would say "guaranteed". I'm in this job for too long
   to dare use such a harsh word :)

-- tomás

Attachment: signature.asc
Description: Digital signature

Reply to: