Em 18-04-2014 07:54, Stuart Henderson escreveu:
> On 2014-04-18, alexander taylor <alexander.j.tay...@jacobs.ucsd.edu> wrote:
>> as an example, i could install
>> a keylogger on the machines at my school, but this takes more time
>> than i have, and leaves a trace that may allow me to get caught.
> how long does that really take? swap a keyboard for a similar looking
> one with a transmitter in? once installed it just needs to transmit
> via radio, so the attacker doesn't need to go back to the machine.
>
As I mentioned, physical access means game over, pretty much always.
In the case where the user isn't using full disk encryption, you can
even bypass their security by booting off some usb disk and simply
installing a software keylogger, which will report you the keystrokes
through the internet. In this case, having the ssh key encrypted won't
help. Because the attacker will already have a copy of it, and just need
to wait the user type the password. And in this case it's even worse,
cause the user will most likely never know it was attacked.
I believe that instead of promoting a false sense of security, we
should encourage people to think for themselves. I believe one of the
main reasons why Snowden revelations didn't spawned a major outcry
across the world, is because people tend to be lazy. And us, as
programmers, also tend to favor that behavior. I'm not saying for us to
create overly complex programs that will end up not being used. I'm just
saying that we should teach then into using the software more wisely.
Security is, and always will be, a trade-off. The more security, more
the inconvenience. But in this case of the ssh keys, I believe it's more
worth teaching people to always create then with passwords.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
