Implications of using insecure memory

Atom 'Smasher' atom at suspicious.org
Mon Oct 4 21:46:10 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 4 Oct 2004, Aleksandar Milivojevic wrote:

> For Linux box, you can ask your sysadmin to install gpg with setuid bit 
> set.
==================

supplying a password to *any* application being run on a box that isn't 
under your direct administrative and physical control is a risk, and 
shouldn't be overlooked. however, it pales in comparison to using pgp/gpg 
on windows.

in the case above, if we assume that the sysadmin is doing his job of 
keeping the computer secure, then the sysadmin is the only one who could 
compromise your key: this can be done with a trojan binary or just reading 
physical memory. with windoze, any half-wit script-kiddie or international 
data crook can get your key.


         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"Sure, it's going to kill a lot of people,
 	 but they may be dying of something else anyway."
 		-- Othal Brand,
 		member of a Texas pesticide review board,
 		comments on Chlordane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJBYaiIAAoJEAx/d+cTpVcizhIIAINQd09nYxVgDY7bbHBRwhf4
nw8c7aJDSdQwqummti9nhknSF7TdsNGt4ei8oCq9k0eCfebEUZbqZZSA97WVJ4+K
0YqCsiQdEQucnLLZKnx203ft/G2uLVNANov43RpQbOf8pJ6Ir2BnxVAOHa3S5dq1
QSCqYSN/Wo+r5sIxEHNqN8HmsHvpIqi6RLlETm6J7xxVCqNLIbuUMF6u8TiU4A/m
dH6BwVs+7GM+NQGbAxfQ4rQY0IBMu8hOCcpwUl99BHpXVvLNCX2BDadziUcyawZF
Oi4oMQ0cIp3gtUCwBWSUjbbZdc0DvmVl+sKcQmcEYd+iOXU5EhAmutqMPyNjKEM=
=x5GQ
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list