On Thu, Dec 04, 2003 at 02:23:54PM -0500, Matt Zimmerman wrote: > On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
> You must be joking. If the developer's system is compromised, and he logs > into another system after that time, that system can be easily compromised > also. Yes, but the reason it would have been efficiacious in this *particular* instance is the hacker sniffed the password, and then logged on to Debian's servers later at his leisure from a different PC. With a smartcard, he would have had to done it *on* the Dev's infected PC *while* the smartcard was plugged in. In theory the smartcard would not be plugged in all the time, thus diminishing the attack surface.