Hi! David Zeuthen [2006-01-12 11:27 -0500]: > Sigh... If the user is able to insert a USB key to the system, then he > is also able to wield an axe through it and destroy it that way. Sure, > let's fix that bug, but, for the love of $DEITY, this is _not_ an attack > vector that is worth bothering about. It is your right to not care about it, but we do. E. g. I'm sure that you have already seen one of these nice automata to print photos that you provide on CD-ROM or an USB stick? Also, we offer solutions for terminal servers and for multiseat configurations, and we do not want to rule out the possiblity of physical security by design. There are people out there whose data is more valuable than the computer they process them with (as a counter argument against the slashaxe DoS). So whether or not you need to worry about this kind of DoS is a matter of what you want to do with software. As long as you just use your USB stick at your standard home PC, this is not an issue of course. > No, I don't want to hear stupid stories about the actual motherboard of > the system being distant from the terminal. *shrug* There are just 200 physically locked boxes in the computer lab of my uni, but I'll shut my mouth. > It all comes down to who is at the console and what that means. Can you > understand why I some people think it's crazy to call that an attack > vector? I never claimed that this bug caused the sky to fall, it was just an example that I digged out after 30 seconds of grepping. There are people with far more free time and h4x0ry skills than me. But it all depends on how you label hal. If there is a sticker that says 'Warning! Do not use for physically secured systems', fine for me. > > If your aim is to provide a generally usable hardware abstraction > > client, then you just need to think about a sane security > > archtitecture as well; completely neglecting the topic will not help > > to increase the trust people put into hal. > > I am _not_ neglecting this topic and I take offense at you saying I do. I didn't address you, I answered to Kay's email; Sorry if you felt that this referred to you. > > I am happy to go through > > the discussion and help with improving hald, but only if there is > > actually some interest from upstream's side. > > There is. Glad to hear that. Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
Description: Digital signature