On Mon, Oct 19, 2009 at 01:07:16PM -0700, ch...@blask.org wrote: > As far as dealing with pre-infected machines, a strong-auth that > required the user to do something (like swipe a finger) prior to using > email could stamp a message as being highly likely as having come from > a human and therefore of higher priority than something that could have > been produced by a robot.
What's to stop the new owner of that system from stashing the results of the swipe and using them at will? Or more conveniently, just disabling the strong auth code? There's no reason to expect a compromised system to run ANY code that's placed on it. You can't defeat this as long as the OS that's running isn't under your control any more. Incidentally, one of the things that I expect to see Real Soon Now, given all the progress in virtualization, is malware that sandboxes the former owner of the system into a nice, clean, virtual system and goes through some trouble to run AV code that ensures that environment is infection-free. The user will of course be told "your system is infected", will duly run whatever AV program they have, get back the "system is clean" output...and that's when the real fun starts. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.