Passphrase Online...

David E. Smith dsmith at prairienet.org
Sun Jan 26 23:56:49 PST 1997


-----BEGIN PGP SIGNED MESSAGE-----

>If I am connected to the Internet via a SLIP/PPP connection and I
>type my passphrase while being online (for example, in Private
>Idaho, after getting my mail), could that passphrase be compromised?
>If so, how would that be done?

It certainly _could_ but hopefully isn't.  Let's say that Joel
McNamara hadn't released the sources to Private Idaho.  It's
certainly possible that he hooked into the windows created when
PI shells out to DOS, and left a snippet of code that mails your
keyID and passphrase to some throwaway AOL account, or a nym address
that bounces through a dozen remailers, or whatever.  Anything you
give to a program, especially one that you know accesses the Internet,
is a potential security risk.

(Special note to Joel, if he's still on this list: Yes, I know
better.  I've read through all of your released Private Idaho sources.
You just seemed like a handy example :)

Paranoid yet?  Good.  That's a healthy state to be in.  Fortunately,
most developers (like Joel) don't put any such evil hooks into
their software.  Having access to the source, to be able to read
through it yourself, is IMO one of the better ways to be sure about
such things. Reading the source and recompiling it yourself is
probably the best.

>Also, if I am online, is it possible for somebody to access my hard
>drive?

Depends on what kind of computer and software you're running.
I'll assume a Windows-style machine.  If we assume that Microsoft
didn't leave any lurking backdoors in their implementation of
wsock32.dll and winsock.dll, and all you run is your usual Web
browser and mail client and you trust _those_ you are probably
safe.  However, if you're running any server daemons on your machine,
such as the MS Personal Web Server or WFTPD or whatever, the 
possibilities go up _a_lot.  Those programs were designed to let
others access your hard drive, so there's a much higher chance that
they'll let someone get something they're not supposed to.  Again,
if you trust the people that developed your software to not stab
you in the back, you should be alright.

Still paranoid?  Excellent.

dave


-----BEGIN PGP SIGNATURE-----
Version: 4.5

iQEVAwUBMuxcVHEZTZHwCEpFAQEIKQf8CMV/7NmaJy50DUmiWV8Pg8iYPv8N3Xcl
M+Fr0HRO08nxy9uRJ+C+aLhnwmXWYfiXyeSbsy9veHepZfTzsEBIYntlk4wOs7eZ
Lk4mjRVI0bLNE60lxmd+8znL0E0QqzVaw5K7t3W0VEe2AMP7aN+ktZGLuIZ8epTg
TSQz4u8Q908r+Od/Ojh2BkG13po63ORPu+wKOzMyLeLWgx5Nz252Xot345tHJSJF
QqM9SQkDW3AZQgiz+we4qocXE8XQ1VbrMJ+qhTQ6GgsVjpfwJegvOqgIC7hgbpDd
gj8lQuEKRqYIPxCqnbh3GbzIQvIwrr4PhvIOuxHX4RPaRacFjrE4iQ==
=F/ib
-----END PGP SIGNATURE-----







More information about the cypherpunks-legacy mailing list