[Fwd: BugTraq - how to coverup the security]

Bill Frantz frantz at pwpconsult.com
Tue Jul 15 13:22:49 EDT 2003


At 5:51 PM -0700 7/14/03, Sean Smith wrote:
>If you don't design a trusted path into the system, why should
>you expect there to be one?

The idea of "trusted path" seems to have been lost in history.  Both Redhat
Linux and Macintosh System X have the worrisome habit of asking you for
your administrator password (root password in the case of Redhat) as part
of their online system update procedure.  It seems to me that any program
could pop up such a dialog, and it wouldn't look any different.

Back in the old days, flipping the online/offline switch on a 3270 terminal
would cause VM/370 to disconnect the currently logged on user and display
the logon screen.  KeyKOS uses the "SysReq" key for the same purpose.
Trusted path was an Orange Book requirement.  What happened?

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | "A Jobless Recovery is | Periwinkle -- Consulting
(408)356-8506         | like a Breadless Sand- | 16345 Englewood Ave.
frantz at pwpconsult.com | wich." -- Steve Schear | Los Gatos, CA 95032, USA



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list