Wojciech Puchar wojtek at
Wed Jun 3 11:15:50 UTC 2009

>>> virtualbox) dedicated to this purpose and this purpose only.
>> Exaggeration IMHO. just make sure your normal user has 700 permissions,
>> create another and run browser from it.
> What about permissions in X? Even if you started the browser as
> another user, you'd still have to xhost + that user. And from

i just copy .Xauthority file.

> there, it's easy to hijack the X session (including keylogging etc.).

You mean Xorg can easily be hijack'ed that way?

> So you'll start another Xorg process as the other user, but are you

Nothing forbids you to start 2 X servers and do console switching.

> That's just the tip of the iceberg. You never know what's still
> lurking out there on the host OS, and when you need strong security, a
> virtualized environment for untrusted processes as a minimum is a
> *must-have*. And even then, that is risky, if the emulator or
> paravirtualizer contains bugs and flaws.

Even more important is to not use "standard" methods, as potential attcker 
can only quess what you do.

> modern day browsing even on fast machines. So it's not always
> practical to do so (though when security is paramount, browsing
> slowing may well be the price to pay).

Separate computer is 1000 times simpler solution to your needs.

> That's right, and that's why non-Windows users are less exposed to
> the usual risks. But still, one has to be careful.


>> It's a matter of protecting yourself from "big brothers" that watch
>> others.
> Or from "little brothers" that explicitly target your infrastructure
> (think: industrial espionage etc.). Those attackers are much more
> worrying that your usual suspects, script kiddies et al., as contrary
> to the broad attackes of the latter, the former usually have more
> resources, including time, to conduct targeted penetration attempts
> into your secure environment.

But they will not attack your company for sure.
There are MUCH simpler methods. Just pay few bucks to charwoman to look at 
papers glued to monitor with passwords on them ;), or maybe a minute more 
to look at different places.

Are you sure the employees in your company doesn't do that? :)

More information about the freebsd-questions mailing list