On Mon, Oct 15, 2018 at 4:25 PM robert engels <reng...@ix.netcom.com> wrote: > > Maybe, but still, if they have root access to your machine, they can just as > easily alter the accessing binary to send the decoded password elsewhere > after it has decoded it…
Which is why you disable remote root access on hosts that run security services... If someone has physical access, all bets are off anyway. > Which is why applications on osx are “signed” (to prohibit tampering) > (although if you have root access - you could probably also add the bogus > singing cert to the certificate store). As far as I know Linux and its > variants don’t enforced signed binaries. I am aware of why macos, iOS, android, etc. sign apps. Thanks. Adding a bogus signing cert to the app store would be a rather sophisticated attack, and I am relatively certain having root access on a client system would not grant that ability. Also, doing that in an undetectable way would also be a sophisticated attack. I don't know of a linux distribution that enforces signed binaries, but packages are signed. Not the same, of course, but close. There is also apparmor and SElinux to enforce isolation. > I only point this out because you give the impression that because you “use a > hardware device” it is secure - this is not really the case. I don't think I gave that impression at all. Absolute security that is in any way functional doesn't exist. Without question, using a hardware security device is more secure than the alternatives. Saying "that is not really the case" isn't correct. > Security is always a trade-off. Though I didn't state that explicitly, I feel it was implicit in my comments about threat modeling. -- Christopher Nielsen "They who can give up essential liberty for temporary safety, deserve neither liberty nor safety." --Benjamin Franklin "The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants." --Thomas Jefferson -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
