[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Most common keystroke loggers?

gboyce wrote:

<<good and correct stuff snipped>>
> Perhaps it would be a better method to try to instead verify if a system
> has been compromised, and disallow the system to use your application if
> the system is known to be compromised.

See my very recent response to exactly the same misguided suggestion 
from Jan Nielsen.  A rather clever chap called Turing had something to 
say about the impossibility of this (at least, for the types of 
computers we are talking about).

> I'm not sure if anyone has spent any time researching the feasibility of
> third party verification of client systems.  ...

Like the Trusted Computing Initiave (or whatever they call themselves 
these days)???

> ...  Some form of required
> virus/spyware scanning before allowing a client to use a service.  ...

That is _far_ from inadequate for this purpose -- see Turing...

> ...  Of
> course, this may severely limit what operating systems are able to connect
> to the service.

Not necessarily.  Well, the AV check suggestion might, but a properly 
designed and implemented "trusted computing base" style system could be 
CPU and OS  agnostic (at least, if we can all agree up front on who we 
are all going to trust forever to be the gatekeepers of the TCB!).


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/