[ILUG] SSH dictionary attacks.

[paul at clubi.ie]

Just to point out another point of mine you overlooked:

On Sun, 27 Aug 2006, Aine Douglas wrote:
> On 8/27/06, paul at clubi.ie <paul at clubi.ie> wrote:

>> Simply put: If the public key crypto is done in software on the host,
>> it's just unavoidable for the secret key to end up in user-readable
>> memory as things stand.
           ^^^^^^^^^^^^^^^

> Technologies have moved on since you've learned this one.
                     ^^^^^^^^^^^^^^

No they havn't. I was specific in referring to systems /today/.

Also, you are conflating expertise with control.

You seem to assume that because the vast majority of users do not 
have the expertise required to exert their control of the /original/ 
software, that therefore they have no control.

You are wrong. Just look go look at some of the other fields of 
software-only "user control", such as "content protection" for 
audio/visual data and games. Look how successful it is.

It just takes *one* person with the expertise to allow /all/ the 
users to exercise the control they instrinsically have over software, 
with todays systems[1].

Look at XBox: MS controlled everything in it, but it still was 
vulnerable, and primarily through vulnerabilities in 3rd party 
software.

1. 'fully trusted' systems, i.e. those systems which trust
    the hardware maker and OS vendor rather than their owner, don't
    exist today and are largely a pipe-dream IMHO, at least for
    widespread use, for several reasons.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
"Trust me":
 	Translation of the Latin "caveat emptor."