[FoRK] Not the linux-mini yet,
Fri Aug 19 02:05:14 PDT 2005
on fork-bounces at xent.com wrote:
> On Fri, 19 Aug 2005, Udhay Shankar N wrote:
>> Lucas Gonze wrote [ at 10:39 AM 8/19/2005 ]:
>>> You can't trust the keyboard, though. Any secrets have to
>>> originate on the mini and be encrypted as they pass through the
>>> untrusted cybercafe machine.
>>> For starters there's a big freebie to bootstrap the system: ssh
>>> passwordless login. However that won't help you with any web site
>>> you have to log in to, most importantly webmail.
>> Maybe an on screen keyboard on a webserver you control, hardcoded to
>> go to yahoo/gmail/whatever? The actual email may not have that level
>> of security requirement, but the passphrase surely would.
> That's getting there... You can't interactively enter the password,
> though. It would have to be a recording of some kind.
> One angle of attack -- a filtering proxy on the mini which
> munges the HTTP
> to auto-fill password fields without ever send the password
> data to the
> screen. Or -- a mozilla extension which could read and write
> the disk on
> the mini...
Store the AutoHotkey.exe (from http://www.autohotkey.com/ )
on your mini, copy it onto the dirty machine, as well as a
script file containing a line like:
Run the script, then when you enter 'pw' in the password
field it'll be auto replaced with 'password'.
For extra paranoia, compile the script to a password
That'll get you past the keyboard anyway.
This electronic message together with any attachments is confidential and
intended for the named recipient's use only. If you are not the intended
recipient (i) do not copy, disclose or use the contents in any way, (ii)
please let us know by return email immediately then destroy the message, and
any hard copies of the message, and any attachments. The sender of this
message is not responsible for any changes made to this message and/or any
attachments and/or connection linkages to the Internet referred to in this
message after it has been sent. Unless otherwise stated, any pricing
information given in this message and/or attachments is indicative only, is
subject to change and does not constitute an offer to buy or sell securities
or derivatives at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to separate
formal written notification. Where reference is made to research material
and/or research recommendations, the basis of the provision of such research
material and/or recommendations is set out in the relevant disclaimer.
More information about the FoRK