[LINK] Consumer computer security

Glen Turner glen.turner at aarnet.edu.au
Wed Jan 24 17:29:13 AEDT 2007


Craig Sanders wrote:

> to start with, it would be running linux (or freebsd or even mac osx but
> linux is less hassle and there are a number of freely available live-CD
> linux distros to choose from) rather than windows.

Ah, yes. Linux and security.  More secure than Windows does not
mean secure.

As a trivial example, Linux will happily run under VMWare and
take input from the keyboard, even where the applications
programmer has requested X Windows to use secure inputs only.

Yes it's convenient. It's also insecure as, despite the applications'
specific request, it's now taking input from an insecure source,
since we should not trust that VMWare has not been compromised.

> secondly, it would have java, flash, and other executable web content
> disabled.

That's a real problem for the bank's applications programmer, since
they now have no way to correct the deficiencies of the operating
system.  For example, both Windows and Linux will allow secrets to
be entered through the keyboard whereas the applications programmer
might prefer them to be entered using a randomised on-screen keyboard
so that keyloggers cannot replay the keys.


Without changes to PC hardware there are no simple answers here.  The
PC even lacks a genuine Secure Attention Key so that you can be
sure your Linux Live CD for Banking is loading on real hardware rather
than some nefarious emulator.

There's also the problem of secure delivery of the Live CD.

But we're starting from a low base here, so I suppose any
improvement is worthwhile.


-- 
 Glen Turner         Tel: (08) 8303 3936 or +61 8 8303 3936
 Australia's Academic & Research Network  www.aarnet.edu.au



More information about the Link mailing list