[Sugar-devel] [IAEP] A security vs. functionality question

Benjamin M. Schwartz bmschwar at fas.harvard.edu
Thu Aug 6 15:02:49 EDT 2009


Luke Faraone wrote:
> A malicious attacker can type at speeds which would allow malicious commands
> to be injected without the user noticing until it is "too late".

Certainly.  Also, the system is implemented using GNU Screen, which
permits multiple parallel terminals.  This is a very useful feature, but
it also means that someone may be typing in a different shell from the one
you're looking at.

I merely mean that users are less likely to leave such a shared activity
"always on".

> Also, there is no method for "limited sharing".

Perhaps you are not aware of the Invitations mechanism?  I can invite
people to an activity, and only those whom I have invited are aware of its
existence.  Invitations were admittedly not very reliable in older
software versions; I haven't tried them recently.

I'm not precisely sure to what degree sharing scope is enforced by Telepathy.

--Ben


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://lists.sugarlabs.org/archive/sugar-devel/attachments/20090806/9e97bf8b/attachment.pgp 


More information about the Sugar-devel mailing list