From owner-freebsd-security Tue Mar 19 14:38:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from frl.nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 61FB237B400 for ; Tue, 19 Mar 2002 14:38:36 -0800 (PST) Received: from nisser.com (roelof.nisser.com [10.0.0.2]) by frl.nisser.com (Postfix) with ESMTP id 07B94EA11; Tue, 19 Mar 2002 23:38:28 +0100 (CET) Message-ID: <3C97BDE4.8040301@nisser.com> Date: Tue, 19 Mar 2002 23:38:28 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311 X-Accept-Language: en,pdf MIME-Version: 1.0 To: Richard Ward Cc: Chris Johnson , security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers References: <20020319144538.A42969@palomine.net> <001401c1cf81$b12976e0$0101a8c0@noc2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Richard Ward wrote: > Chris Johnson, > ... > If I could shoot a really crazy idea your way: What about using the > "Character Map" program included with Windows to slowly "type" out your > password? Though that would probably be cached long before you overwrite the > Clipboard. Since we're talking about wacky ideas, whatever happened to the one I'm about to state: "keypress timing". Well, maybe nobody ever thought of it, could happen, but I remember it as a way to recognize individuals. Like a signature. A hand drawn one, of course. What I mean is, can't a person be identified by having them type in some reasonable, well known, sentence. A simple program should suffice to calc some statistic which could then be used as a key to see if that person is likely to know the password when asked. So you take, say, 'Mary had a little lamb' as test sentence and then both that sentence as well as the timing digest or even the individual samples get transmitted as the "user ID". It could be beaten by a recording device, but not by a paste from the clipboard. Zany enough? Roelof -- _______________________________________________________________________ eBOAź est. 1982 http://eBOA.com/ tel. +31-58-2123014 mailto:info@eBOA.com?subject=Information_request fax. +31-58-2160293 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message