Why trust gpg4win?

[mirimir]

On 08/25/2013 04:04 AM, Robert J. Hansen wrote:

> On 8/24/2013 5:14 PM, Jan wrote:

SNIP

>> It seems quite easy to advice people to have an offline windows PC
>> with gpg4win on it and all their private stuff and a windows(?)
>> online PC next to it. They could transfer encrypted messages with an
>> USB stick from one PC to the other. I think this is a vector for an
>> attacker, but how serious is this problem?
> 
> Very serious.  USB tokens are great tools for propagating malware.
> Compromise the box that's connected to the net, and as soon as someone
> plugs a flash drive into it, compromise the flash drive.  Bring it over
> to the new computer, plug in there, and bang, you've spanned the air
> gap.  This is not a new attack: it's been known about for many years and
> has been demonstrated in real-world environments.

Small flash cards are cheap enough to use once and then destroy.