I love this story…
How girl, 6, hacked into MP’s Commons computer
I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built in…
(story via Authentication World)
While the comment regarding stealing someone’s IdP credentials is technically correct, it’s not the whole story and I would not want to see folks argue a lot about how to solve that “authentication” step.
Isn’t the real security problem with keystroke loggers that the miscreant can obtain information that was typed in after that initial step? E.g. they can obtain what was typed into that confidential email message or something similar.
Heh, I’m all for arguing, whether it’s a subcase or not, I don’t see the harm in it…
Information is information. IdP passwords and damaging emails, it’s all just a bitstream that has to be parsed. I would ask what the difference is between an email loaded directly into a keyboard logger and an email that an attacker reads and downloads as a result of stealing the user’s email password?
You’re correct; CardSpace doesn’t fix this problem. It’s fundamentally an analog hole problem.
The omnipotent, omniscient, and omnipresent adversary is a tough one (“For there is nothing covered that shall not be revealed, and hid, that shall not be known” – Matt. 10:26); the bad guy sitting next to you as you work is a good simulation of that adversary.
Pingback: Kim Cameron’s Identity Weblog » 6 year old installs keylogger