> If you don't trust the endpoint, no amount of one time passwords, or > ssh will save you. You will get keylogged, or followed in, and owned. > it's that simple. Why mess around with gymnastics like s/key from an > untrusted host instead of solving the real threat to your security?
I was in a town in southern Chile, way south.. small little town; about 10 internet cafes around town.. (in some parts of small town Chile, every 2nd business is also an internet cafe) This one place had 8 PC's downstairs, and about 8 upstairs... they had a full-time guy reinstalling Windows on them, because about 1 hour after he was done a machine would be re-infected with all sorts of creepy shit, and after about 8 hours it would become totally unreliable and sluggish to the point where it was causing their customers too much grief... and the reinstall dude would make his rounds again.. And that was a good Internet cafe. In that town, the others were worse. Because they didn't have a guy who reinstalled the machines. And that was machines in southern Chile, with pretty piss-poor network connectivity to them. That is why I travel with a laptop or a Zaurus. I can read mail on using a throw-away email address, and if I need to I can use the Zaurus to do small tasks. Doing it any other way is totally stupid. Or you don't need security and won't have it. And anyone else here who suggested that you could use OTP to solve this is totally clueless.