[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Passive Trojan (was:Re: HAZ-MAT virus)



Timothy C. May wrote:
> At 9:38 AM 9/3/96, Hans "Unicorn" Van de Looy, aka "Deep Throat,"  wrote:
> >::
> >Request-Remailing-To: [email protected]
> >::
> >Request-Remailing-To: [email protected]
> ....
> >::
> >Request-Remailing-To: [email protected] (Paul S. Penrod)
> >Deep Throat.
> 
> 
> Hey, Hans, ya gotta watch those "Cc: [email protected]" lines!
> At least now we know who the _other_ "Unicorn" is.

Which brings up the following question: what is the role of human 
screwups in cryptosecurity? How "foolproof" (no pun intended) should
be remailer clients? How can we prevent people from forgetting to delete 
unencrypted files after encryption?

Alternatively, let's think about this: premail always fingers
a certain user account at berkeley.edu to obtain remailer keys.

Suppose that Joe DrugUser uses remailers to talk to his
Columbian friends and the government wants to find out what he is doing.
They could just break into the computer at berkeley.edu and replace keys
with the government-provided keys. They could even modify the finger
server so that it would be lying only to Joe's computer and would
work just as before for all others (to prevent detection).

The government would then intercept Joe's communications and
decrypt them.


	- Igor.