Jan Nielsen wrote: > That question opens up a whole lotta other questions, really depends on > what you hope to achieve by doing authentication via a compromised system. > In my book you should instead try to detect a compromised system and deny > them access if they are indeed compromised, ...
Obviously, then, your book does not include the phrase "Halting Problem"... > ... that would be in the end-users > best interest I think (and of course report your findings to the users > mailbox or something, don't tell the hacker that you detected his > keylogger :-) And what machines do you think users are most likely to check their mail from? And, of course, your suggestion raises a primacy issue -- if you actually did detect the user's machine was compromised before they logged in and thus prevented allowing the login by not allowing the login dialog to be displayed or somesuch (thereby saving the user compromising yet more of their data), how in the heck do you know where to send the warning mail? Hmmmmm... Methinks you should think more before responding. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
