* Monique Y. Herman (spam@bounceswoosh.org) [031203 16:59]:
> I have been wondering about the password-sniffing thing, too. If you
> send a password using ssh, isn't it encrypted?
>
> I suppose some debian developer's kid sister could have installed a
> keystroke logger on the dev machine ... um ...
Almost there -- minus the assumption that one needs physical access to a
machine to install a keystroke logger. At the risk of perpetuating the
telephone game, I recall reading that the developer's machine had been
rooted. I didn't hear how, but I don't really see how it matters. I
picture an always-on machine in someone's home on a DSL or cable line.
So how did it get rooted? Shit happens. Once you've got root, getting
a keystroke logger in place is trivial. Once you've got that, it
doesn't matter what encryption is used on the network wire -- it was
0wnz3d when it left the fingers.
I'm considering keeping my private keys (ssh, gpg, etc) on removable
storage, maybe one of those USB keys (then my keys could actually go on
my keyring...). It's certainly not foolproof, but at least a sniffed
passphrase could only be used against me when the key is inserted,
which at least slightly reduces the possibility of a private key being
compromised.
BTW, Monique, your UA seems to have really screwed up on the message you
replied to. Is it not MIME-aware? The reply had a quoted MIME header
in it, along with a lot of non-decoded QP equals signs littered about it.
good times,
Vineet
--
http://www.doorstop.net/
--
#include<stdio.h>
int main() {
puts("Reader! Think not that \n"
"technical information \n"
"ought not be called speech;");
return 0;
}
Attachment:
signature.asc
Description: Digital signature