From: “A. Padgett Peterson, P.E. Information Security” <PADGETT@hobbes.orl.mmc.com>
To: dcrocker@brandenburg.com
Message Hash: ffcf8feea1030be2bd91c10b0f9106120621a7c041869de920b7c42e03e29b56
Message ID: <960204111411.202124c6@hobbes.orl.mmc.com>
Reply To: N/A
UTC Datetime: 1996-02-04 16:29:20 UTC
Raw Date: Mon, 5 Feb 1996 00:29:20 +0800
From: "A. Padgett Peterson, P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>
Date: Mon, 5 Feb 1996 00:29:20 +0800
To: dcrocker@brandenburg.com
Subject: RE: Don't type your yes/fraud response into your computer
Message-ID: <960204111411.202124c6@hobbes.orl.mmc.com>
MIME-Version: 1.0
Content-Type: text/plain
> At base, the moral to the story is that a compromised user machine
>permits essentially any and all activities to be suborned. Only a smart
>card mechanism stands a chance of standing up to this, but that, in effect,
>makes the smart card the 'user machine'.
True and has been one reason the smartcards/tokens/etc have been available
for years. The other side of the coin is expense - for a smart card and
reader you are looking at over $100. For a token alone (you enter the
one-time response) $30-$60. In a mass-market environment, this is not
supportable.
OTOH, keyboard sniffing software is easy to detect because it must go
resident and it must intercept the keystrokes. The fact that no software
has bothered to do this does not mean that it cannot be done. The
easiest way for such software to act would be to ignore the machine software
and when sensitive material is to be passed, to do so via direct port
(hardware) access - been a while since I looked at it but AFAIR is around
port 60h. (PC type machines)
This would take care of anything sitting on Int 09 or Int 16 since it would
be bypassed. Often a problem that looks difficult when viewed as a whole
becomes simple once you disassemble it.
Rather than try to find a workaround for a machine you do not trust, why not
develop a means to trust it ? Can do with software alone and that is cheap.
Warmly,
Padgett
ps Dave, what is this thingie on the 21st ? May be in the area (opportunity
for plug here 8*).
pps Before y'all get too wrapped up in free-speech vs libel in the US I would
suggest studying the difference between criminal law and civil.
Return to February 1996
Return to ““A. Padgett Peterson, P.E. Information Security” <PADGETT@hobbes.orl.mmc.com>”
1996-02-04 (Mon, 5 Feb 1996 00:29:20 +0800) - RE: Don’t type your yes/fraud response into your computer - “A. Padgett Peterson, P.E. Information Security” <PADGETT@hobbes.orl.mmc.com>