undefined | Better HN

0 pointsAnIrishDuck12y ago0 comments

> This requires a very different model of access control and user/application privileges, and unfortunately I don't think any mainstream OS is even close to solving this one yet.

I'm not sure it does require a different model of access control. It just requires people to actually use the access control mechanisms that exist already.

You should not access banking details or any other sensitive information in the same user-level context as you use to generally browse the internet. The privileges needed for each task ("browse the internet" vs. "check bank statements") should be different. I personally have a separate user account on my machine set up specifically for "sensitive" tasks.

Separation of data access via privileges is nothing revolutionary, nor is it something that can't be done on any modern OS. Unfortunately, online services are still behind. For example, I would probably switch to an online banking provider that let me create one account for viewing balances and another for transferring cash. But these services will get there in time.

User education is a different story.

0 comments

Silhouette12y ago

Your proposal is OK if accessing sensitive information is something you only do occasionally, but it's not very practical to switch users completely if you deal with sensitive information often, which many people do.

On the other hand, if only explicitly authorised applications can create outbound Internet connections at all, and if applications like browsers and e-mail clients need explicit permission to read a general user file (as opposed to, say, accessing their own designated configuration or data files), then you significantly decrease the degree of vulnerability a user has to data leakage attacks (among other types).

krenoten12y ago

Check out qubes os if you don't want to trust your kernel to enforce your mandatory access controls (you DO only allow certain applications/users/groups/roles/OS's/Hypervisors/etc... to do certain things, DON'T YOU??). Xen is a smaller attack surface, and depending on how much of a pain in the ass you consider having all of your files stolen and deleted being, there are many options for locking it down quite a lot. XSM-Flask if you are too paranoid, Hypersafe for control flow attacks + invariant violation detection tools for non-control data attacks over nested hypervisors if you are resolute.

FedRegister12y ago

>Your proposal is OK if accessing sensitive information is something you only do occasionally, but it's not very practical to switch users completely if you deal with sensitive information often, which many people do.

    $ sudo -u banking gnucash &
    $ firefox &

Done. My banking files and my Firefox session are now separated.

antihero12y ago

Interestingly, you may have just fucked yourself, because the sudo session is maintained whilst launching Firefox.

If we create a script 1:

   #!/bin/sh
   echo "I'm doing something secure"

And then script 2:

   #!/bin/sh
   echo "I'm doing something insecure".
   sudo echo "I'm doing something malicious".

Then run:

  $ sudo ./script1.sh; ./script2.sh

Looks like Firefox has access to your banking user :)

1 more reply

Silhouette12y ago

And for the 99.7% of users in the real world who drive their computers using a GUI and not a command line? Or those who do use a command line but aren't sufficiently competent with system administration to reliably get sudo-based access control right every time?

tempestn12y ago

What about photos? I could see ransomware being very successful just demanding payment to avoid making a bunch of your personal photos publicly available on the internet. They may not be sensitive per se, but they're still likely not something you want out there publicly. Ditto for email, chat messages, etc., etc.

j / k navigate · click thread line to collapse

0 pointsAnIrishDuck12y ago0 comments

> This requires a very different model of access control and user/application privileges, and unfortunately I don't think any mainstream OS is even close to solving this one yet.

I'm not sure it does require a different model of access control. It just requires people to actually use the access control mechanisms that exist already.

User education is a different story.

0 comments

Silhouette12y ago

krenoten12y ago

FedRegister12y ago

    $ sudo -u banking gnucash &
    $ firefox &

Done. My banking files and my Firefox session are now separated.

antihero12y ago

Interestingly, you may have just fucked yourself, because the sudo session is maintained whilst launching Firefox.

If we create a script 1:

   #!/bin/sh
   echo "I'm doing something secure"

And then script 2:

   #!/bin/sh
   echo "I'm doing something insecure".
   sudo echo "I'm doing something malicious".

Then run:

  $ sudo ./script1.sh; ./script2.sh

Looks like Firefox has access to your banking user :)

1 more reply

Silhouette12y ago

tempestn12y ago

j / k navigate · click thread line to collapse