Re: [hackers] [PATCH] [slock] Remove faulty example and add a section on security considerations

From: FRIGN <dev_AT_frign.de>
Date: Wed, 28 Sep 2016 21:09:24 +0200

On Wed, 28 Sep 2016 22:03:57 +0300
"Ali H. Fardan" <raiz_AT_firemail.cc> wrote:

Hey Ali,

> I suggest you take a look at this:
> https://notabug.org/kl3/slock
>
> it was used to be called "slock for the absolute paranoid", but this
> dude
> wanted to go further with it and make it fit his taste, but there are
> some security stuff he did there, check it out.

I know this fork, and with the changes presented in this patch, slock
is just as secure as his version.
The difference is that he for instance implemented ways to upload
webcam images to imgur, send SMS's and auto-shutdown when the user
tries to switch VT's.
I think these changes are not necessary. If somebody tries to change
VT's, so be it! Especially because the shutdown sequence can open other
attack surfaces, which he also took care of mostly, by disallowing the
use of Sysrq in the shutdown sequence. In my opinion, with a strong
password and setting the configs as in the manpage, slock is damn
secure. It honestly took me a few days to analyze the "paranoid" slock
fork to find out that what I did was sufficient.

Cheers

FRIGN

-- 
FRIGN <dev_AT_frign.de>
Received on Wed Sep 28 2016 - 21:09:24 CEST

This archive was generated by hypermail 2.3.0 : Wed Sep 28 2016 - 21:12:21 CEST