At 12:21 PM 10/18/2002 -0700, Bryan Allerdice wrote:
Well darn. I should have guessed that anyone monitoring system events like keyboard strokes could also monitor clipboard operations. It's all right there in the process event queue.> Your typical keystroke logger can't do two things. First, it > cannot do anything about data in the clipboard (Windows and > MacIntosh products both use a clipboard for temporary storage > of text or other data).Not in my experience. Any trojan I've run across in the past few years has clipboard monitoring too. I think it's dangerous of people to think that they are safe because they have a file with the alphabet in it and they drag and drop letters.
So it sounds like once you get a Trojan you're completely screwed. Pun intended.
Pecunix is tough because you must have the PIK code written down or visible somewhere, unless you can memorize a 16-char string and pick out the character at any given place using mental imagery.That's why I like the CryptoCard that e-bullion and has and to a lesser degree the PIK thing Pecunix has. Given enough monitored access attempts, one can learn all the character positions in a PIK - nice idea, but it's really just delaying the patient hacker. With the CryptoCard your response is always different - well, there are 100,000,000 responses, but that's a fair whack.
However, I will grant you that it is more secure to refer to parts of a printed PIK code than it is to type/paste a full password. Just keep that piece of paper safe and you'll be fine.
I also like the "pin" concept in 1mdc.com, where you choose 4 digits from drop-down lists. Bryan, is there anything you know of that can snag that? I suppose you could monitor mouse movement events and detect when drop-down lists are pulled down and scrolled, and devise an algorithm to deduce the digits from relative positioning. I guess that'll have to be in Trojan Version 2.0. :-)
Of course you're absolutely right about the CryptoCard in e-bullion. After all, the price has come down to $99.50, which is probably well worth the time you would otherwise spend fussing around with passphrases. Hmm, I might've just talked myself into it.Anyway, that's just my take. BRYAN
With GoldMoney there's also the certificate option. I tried that once by going to Thawte and generating a freebie cert, but it turned out to be a cheap-ass piece of junk that didn't work with the GoldMoney system. I haven't revisited that experiment yet.
-- Patrick
---
You are currently subscribed to e-gold-list as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
