On Tue, Jan 08, 2008 at 10:48:41AM -0500, Douglas A. Tutty wrote: > I suppose the only way to have a "trusted-secure" box and an > "untrusted-insecure" box with one disply/keyboard would be a KVM. This is pretty much the case - depends on what you want to trust. If you trust the X server and the OS kernel, you can run a separate X server for another user, or VNC, which is somewhat safer than X clients sharing one X server (but VNC clients can and do have bugs).
In any case, if you want to interact with an online bank you will always have to trust something to communicate over the network. It's all about what you want to defend against and what kind of usablility degradation you want to accept. > Please tell me that there's no way for a compromised box to do keystroke > monitoring of a kvm. With a mechanical one you are safe, but all usable KVM switches have a CPU and software - you don't get the source, and you have no choice but to trust it. In the case of USB the software is probably pretty complex and could very well contain exploitable bugs. I wouldn't be surprised if some KVMs had flash, which would allow complete compromise of it if you found a way to run code on it. Actual, physical separation of the machines is the only 100% secure way to prevent information from leaking between them. I'd be more worried about the network cable between them than a KVM, though. You also shouldn't forget yet another link between the machines - the user. I've typed passwords and other sensitive things to the wrong machine more than once when tired, and a KVM probably makes that much easier than having separate machines that are far enough from each other so that you can't look at the wrong screen while typing (if they are next to each other, a KVM is better than the confusion of having 2 keyboards). -- Jussi Peltola
