Re: [PGP-USERS] Password Keystroke Snarfer Programs (passphraseprotection)

[Dave Del Torto <ddt@pgp.com>]

At 12:25 am -0800 12/19/96, Bill Stewart wrote:
>Several articles on the PGP-users mailing list have discussed
>keystroke snarfers that unexpectedly grab and save keystrokes,
>including passwords, severely weakening any benefits from encryption.
[elided]
>From: patm@connix.com (Pat McCotter)
>>Which is why, every once in a while, I do a search of my entire disk [...]
>>with Norton DiskEditor.  [elided]
>
>Be careful - PGP goes to a lot of effort to overwrite your passphrase
>when it's done using it; Norton or grep or other disk-crawlers are unlikely
>to do so, because that sort of paranoia's not part of their job [elided]

Indeed, and any malignant passphrase-snarfer is probably going to
anticipate this counter-attack and scramble the text stream it saves
invisibly so that disk sector searches will be unlikely to pop up your
passphrase. We definitely need to build better defenses against this sort
of thing.

   dave


________________________________________________________________________
Dave Del Torto                                      +1.415.524.6231  tel
Manager, Strategic Technical Evangelism             +1.415.631.0599  fax
Pretty Good Privacy, Inc.                        http://www.pgp.com  web