From: Alexander Skwar <ASkwar(_at_)DigitalProjects(_dot_)com>
But still. If I were after your password because it's so valuable, I'd
take an aproach which is kinda guaranteed to work, ie. I'd setup a
sniffer and get the password in plain text in almost no time. For this
I don't even have to hack into your machine; I'd just have to be on the
same physical network.
<---SNIP--->
Well, *that* is arguable. I honestly don't know, but I'd expect that in
the "black hat" circles there are easy to setup network sniffers, don't
you think? Heck, even ethereal will very easily capture the network
traffic. I don't think that's hard to setup/run.
Setting up a sniffer to capture network traffic is trivial. If you want the
easy way, try dsniff (http://www.monkey.org/~dugsong/dsniff/). It's
*designed* to capture logins, including POP logins, in a trivial way.
Of course, that's detectable by the what it does to the network interface.
But even that's resolvable :-)
1) This tells people that there's no security if you store the password
on a machine where you can't trust root
The bottom line is, if you can't trust root then you're in big trouble.
Root can do *anything* they want to a system, file permissions are
irrelevant. If you're that worried, move to a Windows platform where the
Administrator account has been crippled. It's much harder for Administrator
to do things :-(
Root can read your email once it's downloaded if they want to, decode your
system password trivially (http://www.openwall.com/john/), or do pretty much
anything else. Heck, they can make it look like *you* did things without
any real effort.
Please don't CC me on anything sent to mailing lists or send
me email directly unless it's a privacy issue, thanks.
--
Rob | Ask questions the smart way:
http://www.tuxedo.org/~esr/faqs/smart-questions.html
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com