[9668] in cryptography@c2.net mail archive
Re: Scarfo "keylogger", PGP
daemon@ATHENA.MIT.EDU (Rick Smith at Secure Computing)
Wed Oct 17 12:27:13 2001
Message-Id: <4.3.2.7.0.20011017095524.02608db0@STPNTMX03.sctc.com>
Date: Wed, 17 Oct 2001 10:02:26 -0500
To: Ben Laurie <ben@algroup.co.uk>
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Cc: Peter Fairbrother <peter.fairbrother@ntlworld.com>,
cryptography@wasabisystems.com, schneier@counterpane.com
In-Reply-To: <3BCC0A1F.A5681CE@algroup.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 05:21 AM 10/16/2001, Ben Laurie wrote:
>Rick Smith at Secure Computing wrote:
> > >Is this a serious security failure in PGP?
> >
> > No, it's a problem with any programmable computer. If you can install new
> > programs, you can install changes to existing programs.
>
>That is not true - its a function of the OS and the type of access you
>have. I can install new programs on my Unix box but without root I
>cannot change existing programs, for example.
If you have physical access to a commercial computing device, be it Unix or
Microsoft or anything else, and you have the right tools, you can reprogram
the OS, the applications or both, to do whatever you want. The tools aren't
that expensive or that hard to acquire, especially for an intelligence/law
enforcement organization. Physical access always trumps the software access
controls which we must rely on to protect the plaintext and passphrases
handled by PGP.
Rick.
smith@securecomputing.com roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
