Security Concern: Unsigned Windows Executable

reynt0 reynt0 at cs.albany.edu
Fri Jun 5 19:04:25 CEST 2009


On Tue, 2 Jun 2009, Robert J. Hansen wrote:
  . . .
>> But that's exactly the OPs point: "the box" on windows is a "signed
>> executable", whatever that is.  Since gpg is distributed outside of that
>> framework, he's concerned that an attacker could exploit it.
>
> You are not understanding the metaphor; that may be my own fault.  "The
> box" refers to the popular phrase, "think outside the box."
  . . .

I'm a litle late commenting, but I think it's worth noting
in this discussion that any security improvement(s) may be
useful even if any one may not fulfill all the stringent
requirements of an ideal systematic analysis.  If RJH,
whose knowledge I really do quite respect, would suggest
some hierarchy of effort-and-results for the OP's situation,
it probably would be very useful.  Compare Roscoe's Linux
mag LiveCD suggestion, or maybe downloading it at different
times from different places and comparing the files, etc.

If you have mouse holes in your box, plugging at least the 
big ones, or the ones you can reach, or the ones you can do
quickly, and so on, is still a good thing as long as you
are not opening up new holes which will make things worse.
Even something as leaky as Window$ (or even Apple$ these
days?) can be tightened up to make situations at least
somewhat better, right?



More information about the Gnupg-users mailing list