1996-12-19 - Re: [PGP-USERS] Password Keystroke Snarfer Programs (passphraseprotection)

Header Data

From: Dave Del Torto <ddt@pgp.com>
To: Bill Stewart <stewarts@ix.netcom.com>
Message Hash: 683a252832fc52492b12c39de9bd442b25eb70a1716f97b795a8ba380bbf269e
Message ID: <v03100b27aedeb335e709@[204.179.135.28]>
Reply To: <1.5.4.32.19961219082542.003d493c@popd.ix.netcom.com>
UTC Datetime: 1996-12-19 17:07:42 UTC
Raw Date: Thu, 19 Dec 1996 09:07:42 -0800 (PST)

Raw message

From: Dave Del Torto <ddt@pgp.com>
Date: Thu, 19 Dec 1996 09:07:42 -0800 (PST)
To: Bill Stewart <stewarts@ix.netcom.com>
Subject: Re: [PGP-USERS] Password Keystroke Snarfer Programs (passphraseprotection)
In-Reply-To: <1.5.4.32.19961219082542.003d493c@popd.ix.netcom.com>
Message-ID: <v03100b27aedeb335e709@[204.179.135.28]>
MIME-Version: 1.0
Content-Type: text/plain


At 12:25 am -0800 12/19/96, Bill Stewart wrote:
>Several articles on the PGP-users mailing list have discussed
>keystroke snarfers that unexpectedly grab and save keystrokes,
>including passwords, severely weakening any benefits from encryption.
[elided]
>From: patm@connix.com (Pat McCotter)
>>Which is why, every once in a while, I do a search of my entire disk [...]
>>with Norton DiskEditor.  [elided]
>
>Be careful - PGP goes to a lot of effort to overwrite your passphrase
>when it's done using it; Norton or grep or other disk-crawlers are unlikely
>to do so, because that sort of paranoia's not part of their job [elided]

Indeed, and any malignant passphrase-snarfer is probably going to
anticipate this counter-attack and scramble the text stream it saves
invisibly so that disk sector searches will be unlikely to pop up your
passphrase. We definitely need to build better defenses against this sort
of thing.

   dave


________________________________________________________________________
Dave Del Torto                                      +1.415.524.6231  tel
Manager, Strategic Technical Evangelism             +1.415.631.0599  fax
Pretty Good Privacy, Inc.                        http://www.pgp.com  web







Thread