[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PGP-USERS] Password Keystroke Snarfer Programs (passphrase protection)
At 8:45 AM -0800 12/19/96, Dave Del Torto wrote:
>At 12:25 am -0800 12/19/96, Bill Stewart wrote:
....
>>
>>Be careful - PGP goes to a lot of effort to overwrite your passphrase
>>when it's done using it; Norton or grep or other disk-crawlers are unlikely
>>to do so, because that sort of paranoia's not part of their job [elided]
>
>Indeed, and any malignant passphrase-snarfer is probably going to
>anticipate this counter-attack and scramble the text stream it saves
>invisibly so that disk sector searches will be unlikely to pop up your
>passphrase. We definitely need to build better defenses against this sort
>of thing.
>
The only way I know to solve this problem is to get a real operating system.
This excludes the Mac, DOS and its descendents.
First the kernel must be designed to prevent programs from installing
themselves wherever they wish. (Gasp, even useful prrograms!) Second
they must not be encumbered with piles of tools written by people with
no sense of security. Such tools are often installed with more authority
than they should require. There is a Unix system call that displays the
most recent command that any user has typed. This call is used by the
ps command to describe the origin of a task.
Perhaps NT is new enough that it hasn't gathered all of these holes.
I don't use NT so I wouldn't know.