Separate user account (was Re: invalid gpg key revocation)
Peter Lebbing
peter at digitalbrains.com
Tue Mar 6 22:00:05 CET 2012
On 06/03/12 21:14, Hauke Laging wrote:
> You probably don't even use a seperate user account for key handling.
I don't even do that either. Sounds to me like mainly snake oil with an
insignificantly reduced actual hacking risk.
To clarify, an attacker is able to get into your personal user account on your
desktop machine, but then unable to escalate his privileges to administrator
level? That's an odd combination of skills and lack of skills at the same time.
It only takes one vulnerable program which he can (install and?) run. Or he just
needs to wait until you become superuser from your own user account and hitch
the ride.
And you also can't access that separate user account from your own, or you face
the same problem: the attacker is effectively you on your personal account.
Watches you access the separate user account, and bingo.
These are just the most obvious ones. The subtle ones are probably much cooler.
I'm not a hacker.
>> I need to fix my mistake so that it does not happen again.
>
> Above you refused to do so because it was too much effort for you.
I find this unnecessarily harshly formulated. He hasn't refused to do anything,
even though he's not making it easy by being so secretive.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
More information about the Gnupg-users
mailing list