desktop security questions

Richard Li richardl at redhat.com
Wed Jun 16 20:33:09 UTC 2004 

On Tue, Jun 15, 2004 at 12:58:46AM -0400, Jonathan Blandford wrote:
> Mark McLoughlin <markmc at redhat.com> writes:
> >
> > 	Given that designing secure applications/systems is all about trade
> > offs between the risks to the application and the cost of the possible
> > countermeasures, you need some sort of basic framework for making those
> > tradeoffs.
> > 
> > 	Here's the kind of thing I'm thinking of:
> > 
> >       * What can go wrong/what are we trying to prevent/risks? 
> >               * Loss of data
> >               * Disclosure of private data/loss of privacy
> >               * Denial of service
> >               * Interruption of work/reduced productivity
> 
> Another possible risk is identity masquerading (eg. sending a bomb
> threat from another persons email account.)  There's also a ranking of
> the severity of these.  They're all bad, but the last two are less bad,
> as they diminish your experience and don't necessarily cause
> irreversible harm.
> 
> We should also add that we are trying to protect the whole ecosystem as
> much as possible.  That is, it's bad if an attacker gains the ability to
> run a process as an unprivileged user on a box even if it takes negligible
> resources from that box.

On a different but related note, protecting the whole ecosystem
entails different types of defenses. Bruce Schneier lists three types:
prevention, detection, and response. So, in Jonathan's example above,
there are three kinds of questions that the ultimate solution can
choose to provide:

1. What does the desktop do to prevent identity masquerading?
2. Once someone has stolen by identity, what does the desktop do to
let me know this has happened?
3. Once I figure out it's happened (via my own intuition or by some
notification mechanism), how does the desktop help me recover?

Another example: I've read that a lot of spam is sent by unwitting
Windows users. Microsoft is trying to improve security with efforts
such as the firewall in SP2. Something that could also be useful could
be something that sensed a lot of SMTP traffic and reported it: "Your
desktop is sending a very large quantity of email. This could indicate
that your machine has been infected with a malicious program. Go to
this URL for more information."

> >       * What are our goals? 
> >               * Provide a system whereby the user can easily and safely
> >                 get their work done
> >               * Ensure the privacy and integrity of a user's data

Also:

Detect any violation of my data integrity/privacy.
Recover from violations of my data integrity/privacy.

Richard

More information about the Fedora-desktop-list mailing list