GnuPG in universities

Werner Koch
Mon Jun 11 09:39:01 2001

 || On Mon, 11 Jun 2001 00:06:58 +0000
 || Pedro Diaz Jimenez <> wrote: 

 pdj> anyway?. And for the sniffing stuff, I never use something less secure than 
 pdj> ssh  (more secure, for me, is typing at the machine keyboard)

This is the most important thing to consider when you use a random
box located somewhere on the campus.  Expect that everything you type
on this box is logged.  Even an unexperienced cracker can insert a
keystroke recorder into the keyboard cable - you won't notice that and
it is a matter of seconds to install it.  The most common method
however is to trojan the login program and then later log everything
you type.  This is an everydays attack and not some esoteric hack.

I know that a lot of folks use such boxes to read email and to login
to other machines.  Often they use SSH to login to other machines
using a password which is the same they use to get their mail by POP
(without APOP) - this makes it even easier for an attacker because he
only needs to sniff on the network and can spy on dozens of users at
the same time.

The upshot is that SSH is only secure if you know what you are doing.



Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus