Automount security concerns?

Matthias Fuchs mat69 at gmx.net
Fri Mar 11 19:37:47 GMT 2011


In fact I have used plasma ...
Might be that I changed the default and can't remember anymore.

In this case as you pointed out this is most likely a non-issue KDE wise, 
unless the user changed it to auto mounting.

Am Freitag 11 März 2011, 20:27:20 schrieb Markus Slopianka:
> I'm wondering if you took the time to actually try Plasma Desktop before
> posting that mail.
> By default no drive is mounted automatically. Device Notifier just notifies
> that a new drive is present. Users have to click first (either in the
> Plasma popup or Dolphin's side bar) to mount the drive. To get automatic
> mounting, the user has to change settings first. Because of this the gives
> attack case is of no concern.
> 
> Am Freitag 11 März 2011, 18:35:45 schrieb Matthias Fuchs:
> > Hi,
> > 
> > I just watched a video [1] on exploiting autrun/generating of
> > thumbnails/... of data on usb sticks.
> > Yes this is specific to Gnome, though I wonder if that could be a problem
> > in KDE too, as is mentioned at the ending.
> > E.g. I don't know if strigi starts indexing files automatically on
> > mounted stuff.
> > 
> > Yes physical access is always bad. But imagine you are at a place where
> > many people are (and stealing the pc is no option). Just going to the
> > toilet for a short moment -- with the screen locked -- could make your
> > computer cracked.
> > 
> > In general I think that nothing usb-stick/new hardware related should
> > happen if the screen is locked. And if really a usb-stick is connected to
> > the pc while locked, when a dialog should pop up -- which can only be
> > accessed when unlocking -- asking for further actions.
> > This way the risk is reduced and the user gets informed at the same time.
> > 
> > Now where should this happen? Probably in solid, so that nothing being in
> > general informed of new devices will be activated.
> > 
> > [1] http://www.youtube.com/watch?v=ovfYBa1EHm4




More information about the kde-core-devel mailing list