On Wed, 28 Sep 2005 08:20:50 -0700, Donald J. Ankney wrote: >On Sep 27, 2005, at 11:37 PM, Jurjen Oskam wrote: > >> On Tue, Sep 27, 2005 at 11:36:22PM -0500, C. Bensend wrote: >> >>> 1) Log into system via ssh skey, which is a one-time auth method >>> 2) Type 'sudo farfegnugen blahblah yadda' >>> 3) Log out >> >> You're assuming that the keys you press are transmitted unmodified to >> your server. Since the terminal is not under your control, there's >> no reason why it can't send, e.g., "sudo rm -rf /" all by itself >> after >> it sees you're logged in. >> >> And this is just one example. >> >> -- >> Jurjen Oskam >> > >To take this a step further, the host os (untrusted Windows box) >could also inject malicious keystrokes into an SSH session. It >wouldn't be as easy an attack since the injection has to happen >between the keyboard and Putty (rather than just injecting into an >unencrypted stream), but it still presents an attack vector. > >You can put a live-cd together on a business card sized CD that will >fit in your wallet. Even if you end up with Knoppix instead of >OpenBSD, at least you know it's clean. > > And if I own the internet cafe and have fitted keylogging hardware?
>From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
