[ale] Trojan mpg123 alert

Michael D. Hirsch mhirsch at nubridges.com
Tue Jan 21 11:44:09 EST 2003


On Tuesday 21 January 2003 11:20 am, Dow Hurst wrote:
> Yes, exactly.  Have the separate throwaway user ready so you can use it
> as a disposable "point man" when in enemy territory, ie. The Internet.
> I am reading the discussions on separate instances of X on different
> terminals with interest since this is an alternate method of "hot
> switching" between users.  As long as I have a separate instance of a
> browser or email client window on a separate paged desktop it doesn't
> really seem necessary to have separate X servers running.  However, the
> speed of SSH can slow stuff down on a slow box unless you don't use a
> cipher.
> Dow

Why do you need ssh?  This is maybe the third time it's been mentioned in 
this context and it confuses me.  Why ssh to localhost as an untrusted 
user?  Just "su - untrusted user" and export your DISPLAY variable (or use 
su without the - and you don't even need that last step).  And of course, 
"xhost localhost" on your desktop.  What does ssh gain you?

--Michael

> Jason Day wrote:
> >On Wed, Jan 15, 2003 at 11:03:06PM -0500, Stephen F Nicholas wrote:
> >>Slap me if I read this incorrectly.  People surf the web under their
> >> root account ?? :-(
> >
> >I haven't read Bob's book (yet :)), but when I read Dow's message I
> >thought Bob was recommending creating a special user account just for
> >browsing the web.  In other words, run X as your normal user (not
> > root). But when you want to run a browser, ssh to localhost and login
> > as the browser user, then start the browser as that user.  That way,
> > you can minimize the damage if your browser process gets compromised.
> >
> >>On Wed, 15 Jan 2003, Dow Hurst wrote:
> >
> >[...]
> >
> >>>Bob recommends web browsing as a separate user.  Especially if you
> >>> are using plugins, java, or javascript enabled.  I think ssh'ing to
> >>> your machine as the untrusted user to run the apps would work okay. 
> >>> Or, for the dual screen people, instead of running Xinerama, use two
> >>> separate Xservers and log in as separate users.

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list