[ On Monday, November 20, 2000 at 09:07:47 (-0600), Dave Dykstra wrote: ]
> Subject: Re: autologin considered harmful?
>
> A very smart security expert successfully pursuaded me that if a user's
> machine is compromised, all bets are off. It makes no difference whether
> you use passwords/passphrases or not, the cracker can still get in to the
> server. The vital thing is to secure the user's machine, not introduce
> artificial barriers that don't make any difference anyway.
Exactly!
A good article that discusses the fallacy of trusted client software
more generally is Schneier's Crypo-Gram article (an updated version also
appeared in Aug. 2000 "Information Security" trade rag, p. 20):
<URL:http://www.counterpane.com/crypto-gram-0005.html>
(search for "trusted client software")
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
