Fake login screens

Matthew Garrett mjg59 at srcf.ucam.org
Sun Feb 15 13:22:47 UTC 2009


On Sat, Feb 14, 2009 at 06:54:03PM +0100, Vincenzo Ciancia wrote:

> However, it seems to me that nobody is getting the point about fake 
> login screens: if I am an *user* of somebody else's network, how can I 
> protect myself from another *user* faking a login screen, used as the 
> only running X application, and stealing my password?

ctrl+alt+backspace never protected you from that. It's a mappable 
keystroke, in the same way that ctrl+alt+fwhatever are. A malicious 
client could remap it away to something else, grab ctrl+alt+backspace, 
fake an X server restart by changing DPMS mode a few times and then give 
you a fake login screen.

Arguing that something's a security feature without checking that it's 
actually a security feature isn't a good plan.
-- 
Matthew Garrett | mjg59 at srcf.ucam.org




More information about the Ubuntu-devel-discuss mailing list