On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote: > Yes, but the reason it would have been efficiacious in this *particular* > instance is the hacker sniffed the password, and then logged on to > Debian's servers later at his leisure from a different PC. With a > smartcard, he would have had to done it *on* the Dev's infected PC *while* > the smartcard was plugged in. In theory the smartcard would not be > plugged in all the time, thus diminishing the attack surface.
Not really; he just has to set things up ahead of time. This is like claiming the attacker has to be present in order to sniff your password from a telnet session (he doesn't; he just has to have been around at any time before then in order to set up a sniffer). -- - mdz