[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-User Security

[Robert Wittams]

> situation's actually much more severe than Robert's second sentence would 
> indicate: locking the screen makes no difference.  A machine that an 
> attacker may have had physical access to 

Yeah, I was kind of focusing on "pranksters" rather than determined
attackers.. 
An example of a prank.. changing someones homepage to something
"naughty" 
in an office environment. Har de har. The problem with having this kind
of thing reviewable
is that you need to do one of two things:

1) Trust every program that you could possibly interact with to log
every possible action to a central logging service. Unrealistic level of
trust, and painful to program.  
2) Have the gui intercept every action and interpret and tell you what
it means. Unrealistic computatiionally for it to tell you what it means.

So anything which did this would almost certainly give a false sense of
security, as actions *would* go unnoticed. Also, if people won't lock
their screens, you think they are going to bother to look through a log?

Basically, if someone is acting with your authority, you are truly
screwed. There is no way around that. If your stuff is that sensitive,
you need a smart card tied round your neck on a short bit of string as
an authentication token, so when you turn around, your session is
suspended. This is probably overkill for most people. 

Rob