Why trust gpg4win?
Robert J. Hansen
rjh at sixdemonbag.org
Sun Aug 25 06:04:33 CEST 2013
On 8/24/2013 5:14 PM, Jan wrote:
> We will not be able to change the fact, that most people use an
> insecure Windows or Mac OS, neither.
In a lot of ways, Windows 7 and beyond are much harder targets to crack
than Linux is -- Microsoft's implementation of ASLR is much stronger
than Linux's, for instance, to name just one technology that makes
Windows 7 a harder target than Linux.
*No* operating system deserves the label "secure." *All* operating
systems are vulnerable to more or less equal degrees. The number one
factor in the security of a system is the diligence and attentiveness of
the system administrator. Someone who keeps a Windows box fully
patched, checks links to make sure they're not being spearphished, who
only runs apps from trusted partners, etc., is going to have a much more
secure operating system than someone running an OpenBSD box but who
clicks on everything they come across.
> GIVEN THAT, can we provide a way of secure communication for the
> majority of the people?
No, not until/unless people are willing to pay the price for secure
communication. It doesn't come for free.
Give people the choice between insecure but convenient and secure but a
difficult learning curve, and people will overwhelmingly choose the former.
We cannot make people care. That's one of the hardest truths I've had
> It seems quite easy to advice people to have an offline windows PC
> with gpg4win on it and all their private stuff and a windows(?)
> online PC next to it. They could transfer encrypted messages with an
> USB stick from one PC to the other. I think this is a vector for an
> attacker, but how serious is this problem?
Very serious. USB tokens are great tools for propagating malware.
Compromise the box that's connected to the net, and as soon as someone
plugs a flash drive into it, compromise the flash drive. Bring it over
to the new computer, plug in there, and bang, you've spanned the air
gap. This is not a new attack: it's been known about for many years and
has been demonstrated in real-world environments.
More information about the Gnupg-users