Hi Martin Monday, October 27, 2003, 4:48:28 PM, you wrote:
JN>> They are two separate issues. A misused password can wreak boundless JN>> havoc for years after the incident. MW> You use one password for everything? This issue is completely separate from the one of a misused password. You can have as many as you like, but if you don't change them, then it doesn't make any difference. Any one of them can be compromised and used for years. MW> And continue to use it after the possibility of it being compromised? Often, the victim has no idea that he has been compromised. The situation described, where someone other than yourself is reading your email, is exactly one of these. If the attacker merely wants to read your mail without your knowing, and does not change anything, there is no reason for the average user to suspect wrongdoing. And therefore no reason to change his password. Even users who would not typically be considered 'average' grow complacent enough that this occurs often. MW> Surely you would change your password(s) before handing your PC to a MW> stranger? And if you can't beforehand, afterwards? I'm not sure what your point here is..did I miss something in the discussion? MW> Certainly, if you're that concerned about password security you MW> shouldn't save it in the first place; it's an option after all. :-) True. MW> Still more probable than a complete stranger sitting in front of my PC MW> and reeking havoc with his hex editor. (assuming he can log on and MW> access my folders) I think someone would notice that! :-) This is actually completely unnecessary if this stranger somehow manages to install a trojan on your machine remotely. Compress it, encrypt it, bind it to an innocuous file type and most antiviruses will not catch it. No need to log on, the program could be made to run with your privileges. No need for a hex editor since he's not modifying anything. Most advanced trojans have impressive capabilities when it comes to downloading and uploading anything from your machine, so he could simply download the message files and .cfg files to his own machine and play in peace :) Hell, if he did want to wreak havoc, he could even fire up the hex editor and look through your downloaded EXEs. All this said, using PGPDisk and not using default installation paths is the way to go if you have reason to anticipate security breaches. Or use SecureBat, which I'll take the other posters' word for, is designed to be more secure. Cheers, -- Vishal ________________________________________________ Current version is 2.01.3 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
