On Jun 11, 2008, at 10:04 PM, Steven M. Bellovin wrote:
Let's put it like this: suppose you wanted to use all of your
cryptographic skills to do such a thing. Do you think it could be
cracked? I don't...
Exactly right. After Storm, I don't think anyone reasonable still
believes that there's no talent in the black hat community. So even if
this particular piece of malware has implementation issues, the next
version won't. And then what?
Focusing on the crypto is just missing the point entirely, although I
suppose it grabs headlines. But the problem at hand has nothing to do
with crypto, and everything to do with the fact that our desktop
security systems are fundamentally broken[0]. There is _no_ _reason_
that a piece of malware executing silently in the background should
have access to the user's files without interaction or approval from
the user. And you can't maliciously encrypt files you can't access.
We know how to build systems that are both drastically more secure and
more usable than the ones in use today[1]. I wonder if a proliferation
of headline-grabbing threats like cryptographic ransomware will help
overcome the OS vendor inertia.
[0] See first half of http://radian.org/~krstic/talks/2007/auscert/slides.pdf
. Note: I'm no longer affiliated with OLPC.
[1] E.g. http://en.wikipedia.org/wiki/CapDesk, http://en.wikipedia.org/wiki/Polaris_(computer_security)
, http://en.wikipedia.org/wiki/Bitfrost
--
Ivan Krstić [EMAIL PROTECTED] | http://radian.org
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]