Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Message-ID: <12438:Oct223:00:3290@kramden.acf.nyu.edu>
Date: 2 Oct 90 23:00:32 GMT
References: <8685@mirsa.inria.fr>
Organization: IR
Lines: 11

In article <8685@mirsa.inria.fr> jlf@mirsa.inria.fr (Jean-Louis Faraut) writes:
> What about a two-ways authentication, modifying the getty program to
> oblige the computer to authenticate itself ?

Fails. As I've said before, you can't reliably *avoid* a Trojan Horse
unless you can reliably *detect* a Trojan Horse. If you don't have a
trusted path, the intruder can masquerade as you, forwarding enough of
the responses you supply to authenticate itself and then taking control
of your account.

---Dan