* Monique Y. Herman ([EMAIL PROTECTED]) [031203 16:59]: > I have been wondering about the password-sniffing thing, too. If you > send a password using ssh, isn't it encrypted? > > I suppose some debian developer's kid sister could have installed a > keystroke logger on the dev machine ... um ...
Almost there -- minus the assumption that one needs physical access to a machine to install a keystroke logger. At the risk of perpetuating the telephone game, I recall reading that the developer's machine had been rooted. I didn't hear how, but I don't really see how it matters. I picture an always-on machine in someone's home on a DSL or cable line. So how did it get rooted? Shit happens. Once you've got root, getting a keystroke logger in place is trivial. Once you've got that, it doesn't matter what encryption is used on the network wire -- it was 0wnz3d when it left the fingers. I'm considering keeping my private keys (ssh, gpg, etc) on removable storage, maybe one of those USB keys (then my keys could actually go on my keyring...). It's certainly not foolproof, but at least a sniffed passphrase could only be used against me when the key is inserted, which at least slightly reduces the possibility of a private key being compromised. BTW, Monique, your UA seems to have really screwed up on the message you replied to. Is it not MIME-aware? The reply had a quoted MIME header in it, along with a lot of non-decoded QP equals signs littered about it. good times, Vineet -- http://www.doorstop.net/ -- #include<stdio.h> int main() { puts("Reader! Think not that \n" "technical information \n" "ought not be called speech;"); return 0; }
signature.asc
Description: Digital signature
