Monday, November 02, 2009

Massive security hole discovered in Linux! ... Or not? There's a lesson to be learned here, I think.

A security hole in Gnome allows anyone to see your keyring passwords without needing to enter so much as a password. Despite needing to enter your root password to alter such basic things as CPU Scaling, you are not once prompted to enter it to access the Passwords and Encryption Keyring.

Here's what's going on if you don't quite understand the quote above. GNOME, the default window manager in Ubuntu, comes bundled with this thing called the GNOME Keyring -- basically a password manager that lets the user manage their various logins with a single, "global" one. The post I've quoted above details how it's possible to reveal secure information in the GNOME Keyring without a master password.

But there's some faulty logic here. Consider the first required step in revealing this massive security fail:

1. Restart your computer and login.

Um, that usually requires a password, don't it?

True, some folks have their user accounts set to automatically login on startup (bad idea), so this "hole" does have some merit. But let's look at some of the comments following the post...

From Jacopo:

You can right-click on the login folder and then click on "Block" -- if you want to see passwords, you have to unblock it and therefore give login password.

From bhm:

When you have physical access to PC, hands down, there's no barriers.

And finally, from Miquel:

If you login, you unlock all your personal data on the computer. If people don't understand this, then they have an IT education or comprehension problem which is bigger than revealing a few IM passwords.

So to sum up, at some point it falls upon the user to recognize how and when their computer and personal information are vulnerable, and take appropriate steps to minimize the risk to both.

Seems like common sense to me...

Posted via web from Andrew Currie on Posterous