On Jun 11, 2008, at 10:04 PM, Steven M. Bellovin wrote:
Let's put it like this: suppose you wanted to use all of your cryptographic skills to do such a thing. Do you think it could be cracked? I don't...
Exactly right. After Storm, I don't think anyone reasonable still believes that there's no talent in the black hat community. So even if this particular piece of malware has implementation issues, the next version won't. And then what?
Focusing on the crypto is just missing the point entirely, although I suppose it grabs headlines. But the problem at hand has nothing to do with crypto, and everything to do with the fact that our desktop security systems are fundamentally broken[0]. There is _no_ _reason_ that a piece of malware executing silently in the background should have access to the user's files without interaction or approval from the user. And you can't maliciously encrypt files you can't access.
We know how to build systems that are both drastically more secure and more usable than the ones in use today[1]. I wonder if a proliferation of headline-grabbing threats like cryptographic ransomware will help overcome the OS vendor inertia.
[0] See first half of <http://radian.org/~krstic/talks/2007/auscert/slides.pdf >. Note: I'm no longer affiliated with OLPC.
[1] E.g. <http://en.wikipedia.org/wiki/CapDesk>, <http://en.wikipedia.org/wiki/Polaris_(computer_security) >, <http://en.wikipedia.org/wiki/Bitfrost>
-- Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
