Path: utzoo!attcan!uunet!clyde.concordia.ca!news-server.csri.toronto.edu!cs.utexas.edu!yale!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Message-ID: <9105:Oct910:13:5190@kramden.acf.nyu.edu>
Date: 9 Oct 90 10:13:51 GMT
References: <652@puck.mrcu> <22024:Oct606:35:1090@kramden.acf.nyu.edu> <13@tdatirv.UUCP>
Organization: IR
Lines: 23

In article <13@tdatirv.UUCP> sarima@tdatirv.UUCP (Stanley Friesen) writes:
> In article <22024:Oct606:35:1090@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
> >In article <652@puck.mrcu> paj@uk.co.gec-mrc (Paul Johnson) writes:
> >> If you are worried about physical line security then use encryption.
> >All that's necessary is that the concentrator and the computer accept some
> >key sequence (such as break) to unconditionally mean ``I want to talk to
> >someone I can trust, so gimme a proper prompt and shove any middlemen
> >out of the way.'' That's it.
> This does *not* deal with *physical* line security.  A *physical* *tap*
> on the line between the computer and the terminal cannot be bypassed by
> simple software means.

We're only talking about stopping trojan horses. Not about password
security. Nor about login spoofs.

It's not my fault that if someone videotapes your keyboard then he gets
your password. Can people stop changing the problem here?

Under the assumption I made---that each communications line is direct
and has some unconditional way to remove any middlemen---Trojan Horses
are stopped. There's no need for encryption to solve this problem.

---Dan