On Wed, Apr 07, 1999 at 09:47:52PM -0400, Nelson Minar wrote:
> >Eventually someone will write a trojan which searches memory for
> >Interesting Things left there by other apps or pretends to be a
> >trusted app to the user.
>
> Can you name an operating system in common use today that doesn't
> suffer from this problem? I see you have a PGP key - are you running
> it a system that's fully trustable? Confident that no trojan could
> have snuck in and stolen your secret key when you weren't looking?
>
> I'm not trying to be difficult; this is a real problem. And no one has
> a good solution for consumer use. I think a Pilot is likely to be
> better than my desktop PC.
"Better" is not the same as "trusted".
I don't disagree that the Pilot is less insecure than a PC. But IMHO
that's largely because no one has bothered to write exploits for it, not
because of any designed-in security. Treating it as a trusted device
simply because it hasn't been hacked yet would be a mistake, since for
every new use (esp. high value uses) of the Pilot you raise the reward
for attackers. A Pilot might be a excellent place for me to put
my PGP keys since it's less insecure than my workstation and my PGP key
isn't worth very much since my secrets aren't all that interesting.
But a deployment of a million or two Pilots for use as credit
authenticating devices (just to make up an example) would, unless
the keys are protected in some other trusted hardware, be a big
fat target.
--
Eric Murray N*Able Technologies www.nabletech.com
(email: ericm at the sites lne.com or nabletech.com) PGP keyid:E03F65E5
