1997-01-27 - Passphrase Online…

Header Data

From: John Shaft <shaft@africamail.com>
To: cypherpunks@toad.com
Message Hash: f9db7deae1c8ec9e8460b54297a26a38ddd017cc775927f675d0f8060d8e46c1
Message ID: <1.5.4.32.19970127184948.0069dd0c@pop3.afn.org>
Reply To: N/A
UTC Datetime: 1997-01-27 18:48:07 UTC
Raw Date: Mon, 27 Jan 1997 10:48:07 -0800 (PST)

Raw message

From: John Shaft <shaft@africamail.com>
Date: Mon, 27 Jan 1997 10:48:07 -0800 (PST)
To: cypherpunks@toad.com
Subject: Passphrase Online...
Message-ID: <1.5.4.32.19970127184948.0069dd0c@pop3.afn.org>
MIME-Version: 1.0
Content-Type: text/plain



>>If I am connected to the Internet via a SLIP/PPP connection and I
>>type my passphrase while being online (for example, in Private
>>Idaho, after getting my mail), could that passphrase be compromised?
>>If so, how would that be done?

There are a number of things that can happen. Basically, if you don't
directly control the device/application that is doing the encryption for
you, you run the risk of someone intercepting whatever you xmit. For
example, if you have a dial up type shell account with your local ISP, and
you depend on some UNIX based encryption program to secure your mail
(running on the ISP's machine), anyone with root access can tap the tty and
watch you enter your passphrase. You're also susceptable (sp?) to someone
taping your phone line and looking at you with a packet analyzer. 

I suppose if you were doing something locally, and someone wanted to be
really sneaky, they could embed something like keycopy on your machine (with
a virus or something) and get coppied every time you enter a keystroke. I
don't suppose it would be all that difficult to get a machine to run a tsr
that got kicked off every time you accessed something like, say ,
PGP....Comments?

Shaft! Damn Straigt.

shaft@africamail.com






Thread