It's 2013, and pretty much everyone's SSH private keys are encrypted with a symmetric key that's just an MD5 of their password o_O
@gkmccready not root, it can be anything that can read a file as your current user
-
-
@bascule So anything already running as me? What am I protecting against again? I'm already compromised... -
@gkmccready pretty much! MySQL LOAD DATA LOCAL comes to mind -
@bascule The point is the md5'd passphrase as a symmetric key isn't the weak point. For it to be the weakest link, you're already in trouble -
@gkmccready cryptography is a systems problem, and all parts need to be secure -
@bascule Okay, what do you replace it with that's any better given the threats you're trying to mitigate? -
@gkmccready any decent PBKDF. ssh supports PKCS#8/PBKDF2 out of the box (except, apparently, on OS X Mavericks) -
@bascule But your threats are evil admin or running as me already. Making something take more CPU doesn't solve those. -
@gkmccready the threat is any program running as you that an attacker can get to read a file you own. That's a lot of attack surface - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.