BigB said:
>Picture a hacker receiving data streams from a number of
>Trojans he's planted in the computers of e-gold a/c holders.
>
>In one case, he knows the e-gold a/c #. He has a program
>which scans the data stream,
>
>looking for the a/c #. When
>he finds it, it's very likely that what follows is the password.
>This makes it very easy for the hacker to find the password.
>
>In another case, the hacker doesn't know the log-in #. He
>most likely does not have a practical way of quickly identifying
>any string of characters as the log-in # for an e-gold a/c. This
>makes it much more difficult for the hacker to find the log-in #
>and the password.
What you say above is unfortunately wrong in my opinion, BigB.
It's incredibly easy to find what you're looking for when you look
through the file of a keyboard sniffer, in my experience.
Here, I just keyboard-sniffed myself as I logged into e-gold, I'll
paste in the extract. I'll replace special characters with
equivalents (eg tab, newline etc)
n my experience.use.e-gl
use.e-go
241164
asswipe
(that is not really my password, so don't waste your time :) )
You can immediately see above that if "241164" was instead
"SomeOtherNumber", it would achieve exactly nothing.
Nothing is easier than looking through a keyboard sniffer file and
finding out what's going on, it's like reading someone's mind. You
can see their common typos, etc.
Experiment with any keyboard sniffer for ten minutes and you'll
immediately get the idea.
>Picture a hacker receiving data streams from a number of
>Trojans he's planted in the computers of e-gold a/c holders.
>
>In one case, he knows the e-gold a/c #. He has a program
>which scans the data stream,
(PS, you don't need a "program" to do that. You just open it up with
a text editor and "search" on whatever term you are interested in.)
>looking for the a/c #. When
>he finds it, it's very likely that what follows is the password.
>This makes it very easy for the hacker to find the password.
>
>In another case, the hacker doesn't know the log-in #. He
>most likely does not have a practical way of quickly identifying
>any string of characters as the log-in # for an e-gold a/c. This
>makes it much more difficult for the hacker to find the log-in #
>and the password.
>
>How easy or difficult the password is to guess doesn't make
>much difference. Little, if any, guessing is involved. The hacker
>reads whatever follows the a/c # in the data stream.
>
>(The Trojan could even be written so it produces a data stream
>only for the characters following a specific e-gold a/c #.)
>
>> > I suggest you contact Douglas Jackson <[EMAIL PROTECTED]> and
>> > request that he upgrade his system, to provide a log-in# which is
>> > different from the a/c#. You never reveal the log-in# to anyone.
>>
>>So how would propose to make this type of change backward compatible? Do
>>we just tell people who don't have valid contact infomation to piss off
>>and forget about their acct? How long before the cries of 'e-gold stole my
>>acct and won't let me access it anymore'? The acct# isn't the problem.
>>Your computer's security and/or your choice of passphrase is.
>
>e-gold can communicate with its a/c holders via email and notices
>on its website. Accommodation can be made for those who wish
>to continue to use their a/c # as a log-in #.
>
>I urge everyone with an e-gold a/c to continue contacting Douglas
>Jackson <[EMAIL PROTECTED]> until he corrects this absurd
>and unnecessary weakness in his system.
>
Doug's a bad ass, as is now well established! :)
The proposition is logically incorrect, so he'll just ignore it. If
he was polite, he'd write back pointing out it's incorrect, but since
he's a bad ass he'll just ignore any email.
>Such issues can be further discussed on the
>Gold Account Security discussion list -- to subscribe, send
>a blank email to <[EMAIL PROTECTED]>
>or join at <http://www.topica.com/lists/gold_security>.
>
>Frederick Mann
-----------------------------------------------------------
"Great ventures create great mottos."
---
You are currently subscribed to e-gold-list as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]
