Comments on: Identity X-file 0×01 http://eternallyoptimistic.com/2007/03/25/identity-x-file-0x01/ Wed, 10 Aug 2011 17:44:16 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Kim Cameron’s Identity Weblog » 6 year old installs keylogger http://eternallyoptimistic.com/2007/03/25/identity-x-file-0x01/comment-page-1/#comment-225 Kim Cameron’s Identity Weblog » 6 year old installs keylogger Fri, 06 Apr 2007 06:25:11 +0000 http://eternaloptimist.wordpress.com/2007/03/25/identity-x-file-0x01/#comment-225 [...] Here is a strange one via Pamela Dingle’s eternal optimist: [...] [...] Here is a strange one via Pamela Dingle’s eternal optimist: [...]

]]> By: Bob Blakley http://eternallyoptimistic.com/2007/03/25/identity-x-file-0x01/comment-page-1/#comment-226 Bob Blakley Wed, 28 Mar 2007 04:53:06 +0000 http://eternaloptimist.wordpress.com/2007/03/25/identity-x-file-0x01/#comment-226 You're correct; CardSpace doesn't fix this problem. It's fundamentally an analog hole problem. The omnipotent, omniscient, and omnipresent adversary is a tough one ("For there is nothing covered that shall not be revealed, and hid, that shall not be known" - Matt. 10:26); the bad guy sitting next to you as you work is a good simulation of that adversary. You’re correct; CardSpace doesn’t fix this problem. It’s fundamentally an analog hole problem.

The omnipotent, omniscient, and omnipresent adversary is a tough one (“For there is nothing covered that shall not be revealed, and hid, that shall not be known” – Matt. 10:26); the bad guy sitting next to you as you work is a good simulation of that adversary.

]]> By: Pamela http://eternallyoptimistic.com/2007/03/25/identity-x-file-0x01/comment-page-1/#comment-224 Pamela Mon, 26 Mar 2007 16:20:14 +0000 http://eternaloptimist.wordpress.com/2007/03/25/identity-x-file-0x01/#comment-224 Heh, I'm all for arguing, whether it's a subcase or not, I don't see the harm in it... Information is information. IdP passwords and damaging emails, it's all just a bitstream that has to be parsed. I would ask what the difference is between an email loaded directly into a keyboard logger and an email that an attacker reads and downloads as a result of stealing the user's email password? Heh, I’m all for arguing, whether it’s a subcase or not, I don’t see the harm in it…

Information is information. IdP passwords and damaging emails, it’s all just a bitstream that has to be parsed. I would ask what the difference is between an email loaded directly into a keyboard logger and an email that an attacker reads and downloads as a result of stealing the user’s email password?

]]> By: Eric Norman http://eternallyoptimistic.com/2007/03/25/identity-x-file-0x01/comment-page-1/#comment-227 Eric Norman Mon, 26 Mar 2007 00:01:27 +0000 http://eternaloptimist.wordpress.com/2007/03/25/identity-x-file-0x01/#comment-227 While the comment regarding stealing someone's IdP credentials is technically correct, it's not the whole story and I would not want to see folks argue a lot about how to solve that "authentication" step. Isn't the real security problem with keystroke loggers that the miscreant can obtain information that was typed in after that initial step? E.g. they can obtain what was typed into that confidential email message or something similar. While the comment regarding stealing someone’s IdP credentials is technically correct, it’s not the whole story and I would not want to see folks argue a lot about how to solve that “authentication” step.

Isn’t the real security problem with keystroke loggers that the miscreant can obtain information that was typed in after that initial step? E.g. they can obtain what was typed into that confidential email message or something similar.

]]>