On 18/01/2017 22:06, Konstantin Ryabitsev wrote: > Hi: > > Joanna and I had a quick back-and-forth about this article today: > https://textslashplain.com/2017/01/14/the-line-of-death/ > > Pic-within-a-pic attack was mentioned, and I was wondering if we can > do more to prevent spear-attacks aimed at Qubes users. I'm willing to > bet your trusted work terminal looks exactly like this [1] (except my > added bash powerline bits). Most people won't rename it from [work] to > something else (partly for ease of copying files between VMs, partly > out of inertia), so I'm willing to bet most of you would have a blue > frame with the title "[work] user@work:~". > > What if each login session generated a short random text label > displayed prominently as part of XFCE top bar UI, to act as your > "session UI fingerprint," like "<XoaZ>" for the sake of example. Then > the window decoration title would be: > > <XoaZ>:[work] user@work:~ > > Identifying pic-within-a-pic attacks would be easier by quickly > checking if the random string in the window title matches the string > displayed in the XFCE ui (our "trusted pixels"). > > Just a thought for your consideration -- I have no idea how much work > this would be. :) > > .. [1] http://imgur.com/a/7Fzd0 >
Having to compare two strings will quickly get annoying and be ignored I think. In the end, comparing the two strings is probably just as annoying as sliding the top window to not be over another window, as it is recommended in the documentation. But pic within a pic is a real threat, for example: https://www.youtube.com/watch?v=G81hQOpdV2Y&feature=youtu.be&t=2796 Can we consider the background as safe (possibly by changing it on the fly with something that can't be guessed depending on the active window), and set each window that is not active to semi transparent? -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/81e07c97-12fe-28ed-1815-ec41fbb6c284%40nopping.eu. For more options, visit https://groups.google.com/d/optout.
