Werner Koch writes: | | > If the system is compromised, you cannot be sure of the | > authenticity of messages coming from there, can you? | | Right. |
And therein is the issue. A year ago, I wrote an editorial where I made a semi-numeric mostly educated guess that 15-30% of all home/private systems were already compromised. I got some hate mail but in the intervening months, Vint Cert said 40%, Microsoft said 2/3rds, and IDC said 3/4ths. Whatever the true number is, real risk management must now assume that the counterparty to a conversation stands a good chance of being 0wned. That said, the discount brokerages are hurting on this as 0wned machines mean that stock pump&dump schemes can be pumped by booking real trades from real people with real money, i.e., steal the password via a key logger and then time the trade to help with the pump phase. I've another editorial on that, but suffice it to say that in at least one instance, the November 06 10-Q filing by e-Trade, the losses in question reached the level that required SEC disclosure. Which brings us to a point: Those brokerages want, and are willing to pay real money for, something like an Active-X component that at the outset of the trading session is downloaded fresh, steals the keyboard away from the operating system, and pipes keystrokes through an entirely distinct network stack direct to the trading environment, i.e., makes the home user's PC into a dumb terminal for a moment. On the one hand, that this could work is horrifying and the idea of teaching the user community to say yes to "steal my keyboard" is likewise horrifying. But on the other hand there is a coherent argument that people fall in two camps: Those who always click "YES" and those who never do. If someone always clicks "YES," then the odds are that they are alreacy 0wned and, thus, you need to 0wn them for a moment if you are going to do anything important. If someone never clicks "YES," then the odds are that they are canny and self-protecting, so you don't need to 0wn them up just to have a transaction. The times, they are a changin' --dan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
