Frontends for Windows

Martin Christensen factotum@gvdnet.dk
Mon Nov 19 00:08:01 2001 

--=-=-=
Content-Transfer-Encoding: quoted-printable

>>>>> "Silviu" =3D=3D Silviu Cojocaru <silviucj@yahoo.com> writes:
Silviu> Ok, this got interesting, now how do you think GPGShell would
Silviu> transmit the "captured" data on a system uses dial-up and it
Silviu> is *I* that controls when a connection is made and what
Silviu> software is allowed or not to connect to the outside ?
Silviu> Try limiting the answer to non Sci-Fi scenarios...

How do you think the original Unix guys managed to keep a backdoor
hidden in their OS for many, many years? Sure, the backdoor was there
to ease remote system administration (tech support, actually), but
intentions are irrelevant. The source was available, so they couldn't
hide it there. That meant that they had to hide it in the C
compiler. However, the source for the C compiler was also available
for anyone to scrutinise, so they couldn't hide it there, either. What
they did was make the C compiler aware not only of when it was
compiling the Unix sources, but when it was compiling itself, such
that the mechanism for building the backdoor in Unix was hidden and
would never be seen as source, even though everything was wide open.

There's your sci-fi in real history, and that's almost thirty years
ago.

Windows has a pretty uniform base system. Detecting when it's on-line
is trivial. Making a binary executable self-modifying such that it'll
only send a key and passphrase once (to avoid suspicion) is not
trivial, but it's not exactly difficult either. Just one boolean value
needs to be changed.

I agree with you that there are probably no backdoors in GPGShell, but
trust is much more easily given to things that anybody can verify, and
if the author gives us the source to his programme, then we can see
for ourselves that it's safe. We could, of course, also choose to
trust the author, just as we could choose to trust my ISP, your ISP,
our respective goverments, foreign governments, corporate
organisations with prying eyes and alround nasty individuals to not
spy on us. There's very little chance that anyone will have a
particular interest in keeping an eye on any particular one of us on
this list, but that's not the point. The point is that many want to
protect their privacy, and that's typically not acheived by trusting
anybody and everybody.

Martin

=2D-=20
Homepage:       http://www.cs.auc.dk/~factotum/
GPG public key: http://www.cs.auc.dk/~factotum/gpgkey.txt

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjv4PZsACgkQYu1fMmOQldXL5ACgup0pdNihhss4eg+FwRyMvKFz
xWcAoKjt6ICHtNsMSR4NIaIEzOalMt4p
=j83H
-----END PGP SIGNATURE-----
--=-=-=--