virtualbox) dedicated to this purpose and this purpose only.

Exaggeration IMHO. just make sure your normal user has 700 permissions,
create another and run browser from it.

What about permissions in X? Even if you started the browser as
another user, you'd still have to xhost + that user. And from

i just copy .Xauthority file.

there, it's easy to hijack the X session (including keylogging etc.).

You mean Xorg can easily be hijack'ed that way?

So you'll start another Xorg process as the other user, but are you

Nothing forbids you to start 2 X servers and do console switching.

That's just the tip of the iceberg. You never know what's still
lurking out there on the host OS, and when you need strong security, a
virtualized environment for untrusted processes as a minimum is a
*must-have*. And even then, that is risky, if the emulator or
paravirtualizer contains bugs and flaws.

Even more important is to not use "standard" methods, as potential attcker can only quess what you do.

modern day browsing even on fast machines. So it's not always
practical to do so (though when security is paramount, browsing
slowing may well be the price to pay).

Separate computer is 1000 times simpler solution to your needs.

That's right, and that's why non-Windows users are less exposed to
the usual risks. But still, one has to be careful.


It's a matter of protecting yourself from "big brothers" that watch

Or from "little brothers" that explicitly target your infrastructure
(think: industrial espionage etc.). Those attackers are much more
worrying that your usual suspects, script kiddies et al., as contrary
to the broad attackes of the latter, the former usually have more
resources, including time, to conduct targeted penetration attempts
into your secure environment.

But they will not attack your company for sure.
There are MUCH simpler methods. Just pay few bucks to charwoman to look at papers glued to monitor with passwords on them ;), or maybe a minute more to look at different places.

Are you sure the employees in your company doesn't do that? :)
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to