Dear JP,
Note: if you have an effective keystroke logger installed on
someone's computer here's a newsflash ... YOU
DO NOT NEED TO DO ANYTHING LIKE BOTHER BREAKING THEIR ENCRYPTION!!!
You haven't thought it through. Yes, with a keystroke logger
one can read everything the subject types. But, with a
keystroke logger and their purloined private keyring, any
messages encrypted to their public key by anyone else in the
world can also be read, without having keystroke loggers on all
those machines.
Saying "oh, well, everyone knows security method X is no good
because it is vulnerable to leystroke loggers" is just a sort
of non-comment. EVERYTHING is rendered useless if you have a
keystroke logger, or -- say -- a camera in the room watching
everything the person types.
Everything on that compromised machine, yes. And, with the
PGP password from that keystroke logger and the private keyring,
everything that person receives encrypted on any machine is
compromised, along with everything sent by anyone who courteously
encrypts to his key.
Moreover, once one has the PGP password and keyring, one does
not need to bother with the huge files involved in a keystroke
log. Keep in mind that analysis is always the area where spy
stuff falls apart. Much better to simply grab the messages
the subject bothers to encrypt - since these are certainly
the interesting stuff.
Given the ready availability of solutions like SRK and
your own application of drop down lists, I'm sort of
pissed that PGP still pretends that a typed password is
adequate security. Aren't you?
Regards,
Jim
---
You are currently subscribed to e-gold-list as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
