Security Concern: Unsigned Windows Executable

gpg2.20.maniams at gpg2.20.maniams at
Tue Jun 9 07:26:29 CEST 2009


On Fri, Jun 5, 2009 at 10:19 PM, Robert J. Hansen - rjh at
< at> wrote:

> reynt0 wrote:
> > I'm a litle late commenting, but I think it's worth noting
> > in this discussion that any security improvement(s) may be
> > useful even if any one may not fulfill all the stringent
> > requirements of an ideal systematic analysis.
> If your threat model is such that you're concerned about an active MitM
> who is messing with your traffic in order to deliver trojaned binaries
> to you, then you're in a game-over state.  You cannot win.

Friends : While some of this discussion may be annoying, the level of
knowledge, commitment to ones position and the frankness on this list amazes
me. thanks to all those who add to the knowledge base

*My status : *

- I do not worry about an NSA style attack. Where I live, the big bro
wouldn't take all the trouble checking and messin my _network_ to get stuff
out of me !! :-(  They use more conventional ones ..... and ....  If they
were messing with my _network_ I admit that it would be be futile to fight
against it

- As I write,  I think I _do_not_ have a neighbourhood kid problem....but
that potential exists

- I use Win XP

- I have use Cryptography - GPG (the Gpg executable on my Hard disk) for
encrypting files and some mail...mostly commercial ....stuff... still not
rocket launching (thankfully so probably !!)

- I do use secure websites for logging in and out but that is a different
game I suppose ?

*some practical questions with the above as given *

- Would It help if I had two networks to connect to ...say the home one and
the office one ?

- I have very limited restriction on downloading stuff from the gnupg web
sites (files bigger than 30 MB may be a problem...but nothing on GPG / PGP /
front ends / Mail clients seem to be > 30 MB

- what should I check ....but downloading GPG and related material from each
of these networks

- any other things to note ?

Thanks in advance
B regards

> People like to talk about "an active MitM can deliver trojaned binaries
> to you."  Sure, they can do that, but they probably aren't.  They're not
> dumb.  The real situation is "an active MitM who has total control over
> the traffic I receive and is intent on doing me harm."  This is a much,
> much more serious problem.
> I do not believe it is possible to ensure the security of your computers
> or your communications when in the presence of an active MitM done by a
> competent attacker.
> I also do not believe it is wise to base your security policy on an
> assumption that your attacker is incompetent.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090609/faebe4cc/attachment.htm>

More information about the Gnupg-users mailing list