From: "David E. Smith" <dsmith@midwest.net>
Date: Wed, 6 Mar 1996 09:48:25 +0800
To: jrochkin@cs.oberlin.edu (Jonathan Rochkind)
Subject: Re: Remailer Security
Message-ID: <2.2.32.19960305212904.00683828@204.248.40.2>
MIME-Version: 1.0
Content-Type: text/plain


At 11:06 PM 3/4/96 -0500, jrochkin@cs wrote:
>At 11:06 PM 03/04/96, lmccarth@cs.umass.edu wrote:

>Um, there's no reason why your remailer's account needs to be logged into
>interactively, is there?  Seems like remailer ops should disable login to
>remailer accounts, putting '*' into the password field in /etc/passwd, or
>however unix lets you disable login (I know it does).

If I want a remailer's key, I would probably try to go after root.  Not
only will it get me that key, but there's no telling what else might
turn up in the meantime.  If you can get access to any account on the
system, odds are good you can give yourself root access anyway.  It's
almost a "freebie."

>Obviously, the general security risk of someone gaining unauthorized access
>to the remailer executable or data files is still there, and important to
>keep in mind.  But this would seem to be a fairly logical security measure.

You could always do a custom-compile of PGP that never checks for a passphrase;
it's compiled into the executable.  That's only a trivial measure at best
(heck, hex editors have been around since roughly the dawn of UNIX) but
it's a place to start.

I don't think it's possible to have too much security.

dave

-----
David E. Smith,  c/o Southeast Missouri State University
1000 Towers Circle South MS 1210 Cape Girardeau MO 63701
dsmith@midwest.net,  dave@nym.alias.net,  PGP 0x961D2B09
(573)339-3814    http://www.midwest.net/scribers/dsmith/
"Reality is only for those lacking in true imagination."