paperkey // ? feature request

[David Shaw]

On Tue, Feb 10, 2009 at 04:44:01PM -0500, Robert J. Hansen wrote:

> > [2] above mentioned message posted anonymously to newsgroup like 
> > comp.security.pgp.test 
> > from internet cafe, 
> > (pre-paid in cash, using new usb drive with nothing else on it)
> 
> USB tokens have GUIDs, Globally Unique Identifiers.  Computers keep
> track of what GUIDs they've seen.  If the secret police get access to
> the PC, then they know "ah, someone used GnuPG on a USB token, with a
> GUID of...", etc.  That USB token can now be connected to you.

This isn't completely true.  The USB protocol does have the concept of
a per-device serial number.  I don't know if I'd go so far as to call
it a GUID as it is only unique relative to the vendor and device type,
but in any event, it isn't always used by the manufacturer.  For
example, I have three USB drives on my desk at the moment.  One of
them has an actual (presumably unique) serial number, one has a serial
number of "FFFFFFFF", and the last has a serial number of "0".  There
is also no guarantee that the host computer will log the device serial
number (modern Linux does, but you're more likely to find some flavor
of Windows in an internet cafe).  There is also no guarantee that the
secret police will know what was run from the USB drive (the converse
is true as well, of course).

I can imagine the movie plot, though. :)

> [2] I had sushi with a colleague of the guy who recovered the crosscut
> CD-R.  They gave that task to him person specifically because of his
> severe OCD.  The guy later said it was the happiest month he'd ever
> worked: he was allowed to indulge his OCD for 16 hours a day and
> everybody left him alone.

Do you have a cite on this recovery beyond that story?  I have not
heard of such a thing, and Google came up blank.  I wonder if your
sushi companion was pulling your leg.

David