From: John Shaft <shaft@africamail.com>
Date: Mon, 27 Jan 1997 11:47:52 -0800 (PST)
To: cypherpunks@toad.com
Subject: Passphrase Online...
Message-ID: <199701271947.LAA03025@toad.com>
MIME-Version: 1.0
Content-Type: text/plain



>>If I am connected to the Internet via a SLIP/PPP connection and I
>>type my passphrase while being online (for example, in Private
>>Idaho, after getting my mail), could that passphrase be compromised?
>>If so, how would that be done?

There are a number of things that can happen. Basically, if you don't
directly control the device/application that is doing the encryption for
you, you run the risk of someone intercepting whatever you xmit. For
example, if you have a dial up type shell account with your local ISP, and
you depend on some UNIX based encryption program to secure your mail
(running on the ISP's machine), anyone with root access can tap the tty and
watch you enter your passphrase. You're also susceptable (sp?) to someone
taping your phone line and looking at you with a packet analyzer. 

I suppose if you were doing something locally, and someone wanted to be
really sneaky, they could embed something like keycopy on your machine (with
a virus or something) and get coppied every time you enter a keystroke. I
don't suppose it would be all that difficult to get a machine to run a tsr
that got kicked off every time you accessed something like, say ,
PGP....Comments?

Shaft! Damn Straigt.

shaft@africamail.com