[kwlug-disc] Generating and using PGP keys

Chris Frey cdfrey at foursquare.net
Sat Feb 21 02:24:54 EST 2009 

On Sat, Feb 21, 2009 at 01:52:02AM -0500, unsolicited wrote:
> I've plugged in my USB to a college computer (after having logged in 
> to Windows with a valid id), and used both Firefox, and ssh (after 
> starting putty) then vnc'ed into home. I've done this from the 
> Waterloo Public Library as well.

What people do with computers is up to them, but just so people are
well informed, here are two possible attack vectors off the top of my
head:

	- the Windows machine you logged into has a virus, and when you
		plug in your USB key, it copies itself to it.  When you
		take the key home and plug it into your Windows
		machine, it autoruns and infects your home computer.
		I've heard about some pretty stealthy plans for these things,
		and it makes me mutter every time I think about Windows'
		blasted autorun feature. :-)

	- the machine may have a software keylogger, or a hardware keylogger
		embedded into the keyboard, storing your login password,
		and everything you type.

		How many people check for a device like this before
		typing at a public computer?

		http://www.amazon.com/KEYGHOST-SX-2MB-PRO-SE/dp/B000PR0UHG


> My purpose at the time was to have my 'favourite Firefox environment' 
> on hand all the time, and to tunnel into home where 'my favourite 
> desktop' was already set up. My portable Firefox has, of course, my 
> favourite bookmarks already present. It became easier to tunnel into 
> home than to keep track as to whether the latest version of that doc 
> was on my key, or at home. e.g. When I loaded the doc from my key, did 
> I actually make any changes.

A safer method might be to just post your bookmark file to a secret URL on
your own website, as long as there wasn't anything in it that was private.
When you start firefox from USB key, perhaps wrap it with a script that
downloads your bookmarks fresh each time.

The idea would be to always view your USB key as already compromised, and
keep it separate from your internal network, or treat it safely.

Even if that was "compromised" and someone downloaded your bookmarks,
they wouldn't have anything they could use to break through your firewall,
like a passphrase or password.

Alternately, there is the one-time-password route, which defeats keyloggers
since the password can only be used once.  But even that is limited, since
most people will want to log into gmail or facebook or something once they
get on the net, and then we're back to square one.

- Chris "security party pooper" Frey

More information about the kwlug-disc mailing list